[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall package for laptop wi-fi client

On Tue, 25 Jan 2011 12:51:15 +0000 (UTC)
Camaleón <noelamac@gmail.com> wrote:

> On Mon, 24 Jan 2011 15:57:33 -0500, Celejar wrote:
> 
> > On Fri, 7 Jan 2011 19:51:59 +0000 (UTC) Camaleón wrote:
> > 
> >> Open wifi hot-spots (or open networks) are dangerous because all your
> >> "neighbors" can represent a potential security risk (they have
> >> "physical" access to your machine), meaning that you should enforce
> >> your computer firewall rules to treat all of the LAN computers as
> >> "untrusted" hosts which BTW is not the normal behavior of a firewall
> >> (in a LAN environment, internal hosts are the "good" guys and rules are
> >> relaxed for the whole LAN machines).
> >> 
> >> For that precisely purpose there are firewall "profiles", to harden
> >> policies when going through open networks (aka: close all ports, do not
> >> allow traffic from any machine to my host and monitor all the traffic
> >> going in/out... alias: heads-up!).
> > 
> > From your last paragraph, it sounds like you're talking about a
> > 'personal' firewall - i.e., one running on your laptop.  
> 
> Yes.
> 
> > But if so, it can actually get pretty tricky to distinguish between
> > traffic from the LAN and from the big, bad WWW, since your gateway
> > router is probably doing NAT on incoming traffic.  IOW, how do you tell
> > the firewall "accept ssh connections from the LAN but not from the
> > 'net", when the 'net connections have been NATed to look like they're
> > originating from the LAN?
> 
> In this scenario, the "LAN" and the "WAN" are at the same "hostile" level 
> and so both should be treated. Why should you accept incomming ssh 
> traffic from the "hostile lan/wan"? I shouldn't... unless:

Exactly my point - that personal firewall 'profiles' are less useful
than they might appear at first blush, since you pretty much need to
treat all traffic, even 'local' traffic, as dangerous when behind a NAT
router.

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: