56k dial up on laptop 802.11G ?

I am tired of talking to you as you seem to run your mouth.

Duane :)

I'm not sure how SPI got into the discussion. We were discussing whether an "NAT firewall" is considered a "real" firewall. I contend that NAT is a real firewall because it functions to protect the LAN side from attack from the WAN. Again, I don't care how this function is performed, including a dog sniffing packets and barking when it finds an attack. I contend that anything that protects the LAN is a firewall. I respect your right to disagree.

However, now you've expanded the discussion to SPI which is a complex service sitting on top of a packet filter. The packet filter simply looks at the header and makes decisions based on a comparatively simple rule set. SPI allows the rule set to be expanded to the contents, traffic patterns, other ports, and general pattern matching. This is useful for detecting attacks like port scans, corrupted packets, SYN floods, etc.

I think part of the problem is that many cheapo routers demand that NAT be used. They literally cannot route or do anything useful without NAT being enabled. In the default configuration, the WRT54 uses NAT which cannot be turned off. I think I can hack the IPtables and IPmasq settings to turn off NAT, but it appears difficult (but not impossible).

I read this to say that the WRT54G is a "real" firewall.

So far, we agree.

It most certainly does. NAT is a feature that translated WAN IP addresses to LAN IP Port Numbers. Officially, Cisco calls this PAT or Port Address Translation but everyone else calls it NAT. The "traffic" rule is something like "reject anything from outside that doesn't have a corresponding session originating from inside". That certainly controls traffic in my opinion. It's admitedly a rather coarse rule.

Summary: In my opinion, ANYTHING that protects access to an inside LAN from an outside WAN is a firewall. I don't care how said protection is accomplished.

The simplest form of a FW is a router that separates two networks. The network it's protecting from usually the Internet and the network it's protecting the LAN.

I know all about SPI.

You do what you want. I myself would just leave it alone. :)

It has the means to stop outbound traffic and fits the definition of a network FW. How many times do I have to say it?

That's your interpertation of it. My view is different and I'll leave it at that.

I am a programmer and they programs so I care about, what program is doing what -- the roles, why and how it's being accomplished.

That's the nature of a programmer looking at programs and I have been doing that since 1980. They are just programs and nothing else.

Duane :)

One other thing, I enjoy the conversation.

The other POS ass wipe poster is another story so please do not mention that bastard's name to me again.

Duane :)

Jeff Liebermann wrote: [Another cogent discussin of the issues]

I'm with Jeff, a NAT firewall protects LAN computers from direct attack from the Internet, and counts as a firewall. Sure, there are better, more configurable, more complicated firewalls, but NAT is a perfectly fine response to most folk's need for a firewall.

Apparently *you* just now looked it up...

On the other hand I've been dealing with the difference, which you don't even seem to be aware of, between the OSI Layered Model and the reality of TCP/IP since the OSI Layered Model first appeared.

That is correct. Note that the Linux kernel provides the same functionality. The difference is merely whether it is done in user space or kernel space. That would indeed be of significance *if* this was a firewall on the same platform that is actually running the application (e.g., a ftp server or httpd server); but we are talking about a separate unit that has only Ethernet connectivity to the hardware which runs the servers. Hence it makes no difference whether it is done in user space or in kernel space; other than which name is then attached to it.

SPI doesn't, but of course if it is combined with a proxy server, the functionality is exactly the same.

The fact that it provides NAT firewall functionality does not prevent it from also providing SPI firewall functionality (which you originally claimed and have now finally admitted does happen).

The fact that it provides SPI firewall functionality does not prevent it from also providing the same functionality as an Application Gateway firewall too (proxies and applications specific rules).

And in fact there are several genuine "Application Gateway Firewall" products that do run under Linux. You might consider why it is that none of them have been ported to the WRT54G! (The answer is because it would add nothing to the existing functionality.)

^^^^^^^^^^^^^^^^^^^^^

You are still making false statements though.

At this point you have finally admitted that it is a "network" firewall... But you were just claiming that it did not provide the same services as a "Firewall Appliance", which you then defined with a description which fit the WRT54G quite well.

Which is to say you haven't got any idea what the WRT54G does or does not do.

And despite the differences being pointed out many times, you still insist on make false comparisons, using generic definitions that don't necessarily apply to any given specific piece of equipment, much less to the one we are discussing.

Of course if you need a router behind that FW appliance, that just rings the bell labeled "stupid".

And it doesn't get any better if you don't need a "router" but end up paying twice the price for something that isn't any better.

Who cares what you "consider" it to be? You don't know what it is and have admitted it.

Of course many of us are using them with the wireless turned off. Moreover, with something like DD-WRT firmware it is easy to reconfigure the vlan/bridge and isolate the wireless through the firewall.

What you are still missing is that it is *far* more versatile than you have imagined.

I could care less whether anyone has or not "classified" it as this or that. The point is that we *know* that it has the functionality that *you* used to define "a FW appliance".

That is all true.

Here is what Duane orig >No Linksys router has a FW. The NAT router has SPI maybe and >some other FW like features. And it can be used as part of a >total FW solution as a border device. But it's not an >appliance that is running FW software, even if it is running >SPI.

My response was:

The Linksys WRT54G series of wireless routers all have firewall software.

He still wants to argue it... even though I've demonstrated that every bit of functionality that he claims is required for his "FW appliance" is in fact available from a WRT54G.

snipped-for-privacy@apaflo.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:

So I gather that you looked that up somewhere.

The FW appliance has it. So my wording of it is wrong of what the OSI title is and that is off. The FW appliance uses an Application gateway/proxy FW and operates at the Application Level of the OSI model.

SPI provides Application level protocol awareness. SPI doesn't break the client/server model like the Application/proxy gateway FW. And nether does the packet filtering FW, from what I understand.

At this point I am not saying that the 54g doesn't fit the definition of a network FW. My view of the 54G router was based on the other Linksys products that cannot do what the 54G is apparently doing from the ones I have seen to date. If I am going to choose between the two, I am going with a FW appliance every time and not a router, which I consider the 54g to be a packet filtering FW router. If I go with something like a 54g, then it's going to sit outside the trusted zone of a FW appliance and VPN into the FW appliance, simply because it wireless.

Show me some documentation verifying that 54g router has been classified to be a FW appliance and not a packet filtering NAT FW router.

Duane :)

That is probably all true. But the point is that your false statements have been countered with facts.

I can't educate you about either what a FW appliance is or how that compares to any of the common Linux based router/firewalls. But we *can* leave an archived thread that will prevent others from trusting anything you say about it.

:-)

snipped-for-privacy@apaflo.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:

The only thing you have proven to me is that 54G is a packet filtering FW NAT router and nothing else, which I didn't consider it was before. That's all you have done here and nothing else. You're not going to convince me otherwise that it is out classing a FW appliance.

You can talk about the 54g until the *cows* come home, it's not going to happen.

Duane

snipped-for-privacy@apaflo.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:

Linux has not put one dime in my pockets and most likely it never will. Linux is just another O/S out of several I have used over the years. You think Linux is all that, then think it. ;-)

Duane

snipped-for-privacy@apaflo.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:

I am beginning to think that you're some kind of a nut. You can take the f****ng 54g, Linux, the kernel, Iptables, NAT, SPI, proxies and whatever else you deem necessary and stick it all right up your ass. ;-)

Duane

Yeah the same place you did.

And apprently that's all you have been doing over the years too. Maybe, you should work on something else for a change of pace that gets boring doesn't it.

The operative word is proxy server.

Oh, so now SPI is an Appliaction Gateway FW -- OK.

And you seem to be right there with me.

It's a packet filtering FW router that's become a FW appliance according to you that's running wonderful Linux. I think you explained it nicely.

Ok Mr. Firewall man you're the man.

The router would be in front of the FW appliance and if it was behind the FW it would just be a switch for my needs.

I thought it was a *router*.

Big deal

Should I tell you how versatile it can be for you and where you can put it?

I call it a packet filtering FW router but you can twisted it anyway you want.

Duane

Since you keep saying that and you have also several times referenced an unspecified Watchguard "FW Appliance", please tell us just how they differ!

Below is a side by side comparison of specifications. However, I would welcome your corrections to the Watchguard specs, as this reflects the best that I can find on the Internet, which is from a review on TomsNetworking site that was last updated in November 2003. The specs for the WRT54G are taken several places, including the admin web access for a WRT54G V2.0 running Sveasoft Alchemy 1.0 Firmware.

It doesn't appear the Watchguard holds much of a candle to the Linksys... primarily because the Watchguard is limited in so many ways: 10 DHCP "users", no triggered port mapping or loopback, and limited content blocking. There are several other deficiencies that I suspect have probably been upgraded or at least improved on in the time since this data was accurate:

802.11g, UPnP, HTTPS for remote access, dynamic routing, more flexible DHCP, frame filtering at the Ethernet level as well as packet filtering at the IP level, port triggered mapping and loopback, improved content filtering, QoS, lower level access such as Telnet or SSH, WPA and 802.1x, and VLAN/Bridge configuration.

Otherwise, it would also appear the price is ten times too high.

Regardless, the idea that one is more or less of a "FW Appliance" is *clearly* ridiculous.

Linksys Wireless Router/Firewall Watchguard "FW Appliance" WRT54G Firefox SOHO 6tc Wireless

Price: $50 $510

WAN interface: 1 1 LAN interface: 4 4 Speed: 10/100 10/100 Switched: yes yes Wireless: 802.11b/g 802.11b

Max DHCP clients: 253 10 DHCP disable?: yes yes notes: can disable, set can disable, address, set number, set address and set lease time

UPnP: yes no remote access: HTTP/HTTPS no static routing: yes yes dynamic routing: yes no

WAN-LAN throughput: 19.7 Mbps 3.1 Mbps UDP stream rate: 498 Kbps 499 Kbps

LAN-WAN throughput: 21.7 Mbps 7.4 Mbps

Firewall: NAT+SPI NAT+SPI DMZ: yes yes multi NAT: no no Port filtering: yes yes notes: 10 time schedules for Deny/allow predefined 6 IPs, 2 IP ranges, and services for all LAN clients. 8 MAC addresses, plus 5 Can define custom services non-scheduled port ranges with port/protocol and from/to that apply to all LAN ports IP addresses.

Single port forwarding: yes yes

Port range forwarding: yes yes

Triggered port mapping: yes no notes: 10 port ranges with tcp, udp, or both protocol selection

Loopback: yes ??

Content controls: yes can block HTTP access to a Block services: yes list of IP addresses Block ports: range Block URLS: 4 Block keyword: 6 Block protocols: icmp, udp, tcp tcp&udp, L7 Block services: Aim, Applejuice, Bearshare, Biff, BitTorrent, Citrix, Counterstrike, Cvs, eDonkey, DHCP, DirectConnect

Qos: yes ?? Port: WAN or LAN can limit bandwidth uplink and downlink separately. services: priority for same list as blocked services. netmask: yes MAC address: yes LAN ports: priority and max rate

Syslog: yes yes SNMP: yes no Telnet: yes ?? SSH: yes ?? AP watchdog: yes ??

DNS masq: yes ?? WEP 128 bit: yes yes WPA: yes no

802.1x auth: yes no

Anti Virus: no yes

Real Time Clock: yes yes NTP auto set: yes ??

Disable NAT: yes ?? Set MTU: yes ?? Dyanmic DNS: yes yes

VLAN/bridge config: yes ?? notes: up to 15 VLANs assigned to any of the 5 ethernet ports.

VPN Client: PPTP pass-thru: 5 each no limit IPsec pass-thru: 1 each no limit

VPN Server: PPTP pass-thru: 1 1 IPsec pass-thru: 1 1

VPN other: Endpoint: no yes Co-processor: no yes

Authentication: PPPoE yes yes Set host name yes no Set domain name yes no Set MAC address yes yes

And don't think that I didn't mean every word and don't forget the antennas.

And it's still not a FW appliance.

Duane

Why are you trying to distort what he said to mean something he

*didn't* say? He did not mention *any* specific device.

He said that if it can't sort out non-HTTP traffic to port 80 it isn't sufficient for him. *Neither* the Watchguard Firefox 6tc FW appliance or the WRT54G do what he wants.

Of course, what he wants does *not* define what a firewall is, except to him, but that's okay too. Regardless of that, your "Top Gun" is clearly not... *nobody* else defines what is or is not a firewall or even a "FW appliance" that way.

The idea that one is more or less of a "FW Appliance" is

*clearly* ridiculous, and here again are the specifications to prove it. Plus, since originally posting I have found a "User Guide" from Watchguard the confirms most of the deficiencies noted previously. It doesn't give exact specifications, so I'm not positive about all of the ones I expected to have been upgraded, but it appears that *none* of them have changed since it was originally introduced. It still looks like just a very overpriced piece of equipment.

Linksys Wireless Router/Firewall Watchguard "FW Appliance" WRT54G Firefox SOHO 6tc Wireless

Price: $50 $510

WAN interface: 1 1 LAN interface: 4 4 Speed: 10/100 10/100 Switched: yes yes Wireless: 802.11b/g 802.11b

Max DHCP clients: 253 10 DHCP disable?: yes yes notes: can disable, set can disable, address, set number, set address and set lease time

UPnP: yes no remote access: HTTP/HTTPS no static routing: yes yes dynamic routing: yes no

WAN-LAN throughput: 19.7 Mbps 3.1 Mbps UDP stream rate: 498 Kbps 499 Kbps

LAN-WAN throughput: 21.7 Mbps 7.4 Mbps

Firewall: NAT+SPI NAT+SPI DMZ: yes yes multi NAT: no no Port filtering: yes yes notes: 10 time schedules for Deny/allow predefined 6 IPs, 2 IP ranges, and services for all LAN clients. 8 MAC addresses, plus 5 Can define custom services non-scheduled port ranges with port/protocol and from/to that apply to all LAN ports IP addresses.

Single port forwarding: yes yes

Port range forwarding: yes yes

Triggered port mapping: yes no notes: 10 port ranges with tcp, udp, or both protocol selection

Loopback: yes ??

Content controls: yes can block HTTP access to a Block services: yes list of IP addresses Block ports: range Block URLS: 4 Block keyword: 6 Block protocols: icmp, udp, tcp tcp&udp, L7 Block services: Aim, Applejuice, Bearshare, Biff, BitTorrent, Citrix, Counterstrike, Cvs, eDonkey, DHCP, DirectConnect

Qos: yes ?? Port: WAN or LAN can limit bandwidth uplink and downlink separately. services: priority for same list as blocked services. netmask: yes MAC address: yes LAN ports: priority and max rate

Syslog: yes yes SNMP: yes no Telnet: yes ?? SSH: yes ?? AP watchdog: yes ??

DNS masq: yes ?? WEP 128 bit: yes yes WPA: yes no

802.1x auth: yes no

Anti Virus: no yes

Real Time Clock: yes yes NTP auto set: yes ??

Disable NAT: yes ?? Set MTU: yes ?? Dyanmic DNS: yes yes

VLAN/bridge config: yes ?? notes: up to 15 VLANs assigned to any of the 5 ethernet ports.

VPN Client: PPTP pass-thru: 5 each no limit IPsec pass-thru: 1 each no limit

VPN Server: PPTP pass-thru: 1 1 IPsec pass-thru: 1 1

VPN other: Endpoint: no yes Co-processor: no yes

Authentication: PPPoE yes yes Set host name yes no Set domain name yes no Set MAC address yes yes

I just downloaded the "WatchGuard Firebox SOHO 6 Wireless User Guide" for firmware version 6.3. It says nothing about WPA, 802.1x, or 802.11g.

It also says nothing at all about filtering packet content on port 80, which some people seem to think is important. :-) It does have a fairly versatile database program to block selected URLs accessing port 80, presumably based on content known to exist at specific sites.

Two other problems that I would find "enough reason" are that it has no shell access for command line advanced configuration beyond what is available via the web server; and it does not allow reconfiguring the VLAN and Ethernet Bridge.

It does apparently do dynamic routing though, which I listed as "no" in the specs.

Can you imagine paying $500 for that!??

Perhaps Watchguard sells a FW appliance which does do that, and I'm happy for you if Microsoft marketing hype is important to you. However, you said the WRT54G wasn't a "FW appliance"... yet the Watchguard 6tc does *less* that the WRT54G, and they market it as a "FW appliance".

Now, if you are saying you have a top of the line Watchguard FW Appliance that does verify HTTP traffic, that's great if it is worth the cost. But the User Guide and everything else I've been able to learn about the Watchguard 6tc FW Appliance says that it *won't* do that.

I take that to mean verification of HTTP traffic is *not* what defines either a FW or specifically a "FW Appliance" in the minds of Watchguard, not to mention Cisco and apparently just about everyone except you and Bill Gates' Marketing Department.

Can't blame you for wanting to get out!