Re: firewall package for laptop wi-fi client
On Tue, 25 Jan 2011 12:51:15 +0000 (UTC)
Camaleón <noelamac@gmail.com> wrote:
> On Mon, 24 Jan 2011 15:57:33 -0500, Celejar wrote:
>
> > On Fri, 7 Jan 2011 19:51:59 +0000 (UTC) Camaleón wrote:
> >
> >> Open wifi hot-spots (or open networks) are dangerous because all your
> >> "neighbors" can represent a potential security risk (they have
> >> "physical" access to your machine), meaning that you should enforce
> >> your computer firewall rules to treat all of the LAN computers as
> >> "untrusted" hosts which BTW is not the normal behavior of a firewall
> >> (in a LAN environment, internal hosts are the "good" guys and rules are
> >> relaxed for the whole LAN machines).
> >>
> >> For that precisely purpose there are firewall "profiles", to harden
> >> policies when going through open networks (aka: close all ports, do not
> >> allow traffic from any machine to my host and monitor all the traffic
> >> going in/out... alias: heads-up!).
> >
> > From your last paragraph, it sounds like you're talking about a
> > 'personal' firewall - i.e., one running on your laptop.
>
> Yes.
>
> > But if so, it can actually get pretty tricky to distinguish between
> > traffic from the LAN and from the big, bad WWW, since your gateway
> > router is probably doing NAT on incoming traffic. IOW, how do you tell
> > the firewall "accept ssh connections from the LAN but not from the
> > 'net", when the 'net connections have been NATed to look like they're
> > originating from the LAN?
>
> In this scenario, the "LAN" and the "WAN" are at the same "hostile" level
> and so both should be treated. Why should you accept incomming ssh
> traffic from the "hostile lan/wan"? I shouldn't... unless:
Exactly my point - that personal firewall 'profiles' are less useful
than they might appear at first blush, since you pretty much need to
treat all traffic, even 'local' traffic, as dangerous when behind a NAT
router.
Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: