Re: firewall package for laptop wi-fi client
On Mon, 24 Jan 2011 15:57:33 -0500, Celejar wrote:
> On Fri, 7 Jan 2011 19:51:59 +0000 (UTC) Camaleón wrote:
>> Open wifi hot-spots (or open networks) are dangerous because all your
>> "neighbors" can represent a potential security risk (they have
>> "physical" access to your machine), meaning that you should enforce
>> your computer firewall rules to treat all of the LAN computers as
>> "untrusted" hosts which BTW is not the normal behavior of a firewall
>> (in a LAN environment, internal hosts are the "good" guys and rules are
>> relaxed for the whole LAN machines).
>> For that precisely purpose there are firewall "profiles", to harden
>> policies when going through open networks (aka: close all ports, do not
>> allow traffic from any machine to my host and monitor all the traffic
>> going in/out... alias: heads-up!).
> From your last paragraph, it sounds like you're talking about a
> 'personal' firewall - i.e., one running on your laptop.
> But if so, it can actually get pretty tricky to distinguish between
> traffic from the LAN and from the big, bad WWW, since your gateway
> router is probably doing NAT on incoming traffic. IOW, how do you tell
> the firewall "accept ssh connections from the LAN but not from the
> 'net", when the 'net connections have been NATed to look like they're
> originating from the LAN?
In this scenario, the "LAN" and the "WAN" are at the same "hostile" level
and so both should be treated. Why should you accept incomming ssh
traffic from the "hostile lan/wan"? I shouldn't... unless:
a) The request comes from a known host that I have previoulsy configured
and setup to be able to access my machine (i.e., by means of VPN or ssh
tunnel from my remote computer).
b) I am expecting the incoming traffic.
It's the same attitude I have when someone sends me a "I want to be your
friend" invitation by e-mail... unless:
a) I know beforehand the person who sends the invitation
b) I was put on alert about that person is going to send me an invitation
My "human common sense firewall" says: "reject" :-)