Consumer Grade - IPV6 Enabled Router Firewalls.
cmadams at hiwaay.net
Mon Dec 14 13:11:53 CST 2009
Once upon a time, Owen DeLong <owen at delong.com> said:
> I would argue that a firewall that can be reconfigured by any applet a
> clicks on (whether they know it or not) is actually less useful than no
> firewall because it creates the illusion in the users mind that there
> is a
> firewall protecting them.
Well, "any applet a user clicks on" should not have permission to talk
to random devices on the network (for example, Java applets can't do
that), so I don't think it quite as bad as you make it out to be. I
also don't really find the "computer is already compromised" case all
that interesting, as at that point, all bets are off (since with C&C
servers, compromised computers are already accessible to the outside
world without UPnP).
A firewall protects against unwanted inbound connections to things like
file/print sharing, DNS proxies, etc. You also don't get port scans and
such (even with a few open ports, the majority being "drop" slows down
scanners significantly). You can also configure it to prevent certain
outbound connections (e.g. connecting to random mail servers from
desktop PCs). I would hope that you can configure firewall rules to
override UPnP requests.
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the NANOG