Consumer Grade - IPV6 Enabled Router Firewalls.

Chris Adams cmadams at hiwaay.net
Mon Dec 14 19:11:53 UTC 2009


Once upon a time, Owen DeLong <owen at delong.com> said:
> I would argue that a firewall that can be reconfigured by any applet a  
> user
> clicks on (whether they know it or not) is actually less useful than no
> firewall because it creates the illusion in the users mind that there  
> is a
> firewall protecting them.

Well, "any applet a user clicks on" should not have permission to talk
to random devices on the network (for example, Java applets can't do
that), so I don't think it quite as bad as you make it out to be.  I
also don't really find the "computer is already compromised" case all
that interesting, as at that point, all bets are off (since with C&C
servers, compromised computers are already accessible to the outside
world without UPnP).

A firewall protects against unwanted inbound connections to things like
file/print sharing, DNS proxies, etc.  You also don't get port scans and
such (even with a few open ports, the majority being "drop" slows down
scanners significantly).  You can also configure it to prevent certain
outbound connections (e.g. connecting to random mail servers from
desktop PCs).  I would hope that you can configure firewall rules to
override UPnP requests.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.




More information about the NANOG mailing list