All you have there is a NAT router and it DOESN'T have a FW. At best, it
may have FW like features and SPI.

D-Link, Netgear, Belkin, Linksys etc etc are *good enough for inbound
protection* but they do NOT have a FW in the true sense. And some people
complement the NAT router with a PFW solution with the glorified
Application Control in PFW solutions to stop outbound for what it's worth
and some PFW(s) have the ability to stop outbound by port or IP at the very
least.

http://www.homenethelp.com/web/explain/about-NAT.asp.

If the NAT router was a FW appliance, then it would meet the specs in the
link for *What does a FW do?*.

http://www.vicomsoft.com/knowledge/r...irewalls1.html

WhatchGuard, Cisco, Sonicwall, Snapgear, etc etc are appliances that have a
FW and are FW appliances and they can stop both inbound and outbound
traffic by port, protocol or IP.

Some people supplement the NAT router or a PFW solution with IPSec. IPsec
can stop inbound or outbound by port, protocol or IP.

http://www.petri.co.il/block_ping_tr...with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm

Duane

Duane Arnold wrote:
a few things...
a) the OP specified the befsX41, not the befsR41 that is so common out
there... the product sheets for the two are significantly different...
b) according to http://www.faqs.org/faqs/firewalls-faq/, any system
that enforces an access control policy between 2 networks qualifies as
a firewall... all nat routers enforce an access control policy
implicitly by their nature...
c) the only real difference between a nat router and what you like to
consider firewall is how fine-grained an access control policy it's
able to enforce and the variety of criteria it's able to use...

nat routers *are* firewalls... very simplistic ones, but still firewalls...

--
"we are the revenants
and we will rise up from the dead
we become the living
we've come back to reclaim our stolen breath"

kurt wismer <kurtw@sympatico.ca> wrote in
news:J_V0e.10206$JK1.842396@news20.bellglobal.com:


It doesn't make a difference and neither one has a FW --- period.

The Linksys VPN solution NAT router doesn't have a FW. It doesn't meet the
specs for a FW appliance. It can not set rules to stop inbound or outbound
traffic like I can do with the WatchGuard SOHO 6 firewall appliance that
meets the specs in the link. I looked at the data sheet and the manual too
and I also owned a Linksys NAT router and I know the difference.

And again that can be done with a FW applinces and it can not be doen with
a NAT (no FW) router.

No they are not FW(s) and just because something is using NAT doens't make
it a FW.

And if you dropped this converstaion in a FW NG, I know you'll be told what
is and what is not an appliance with a FW by the Top Guns.

Duane

On Fri, 25 Mar 2005 18:08:48 GMT, Duane Arnold <notme@notme.com>
wrote:

It will drop incoming (setup) packets not explicitly forwarded to
somewhere else so that makes it a firewall irrespective of what Tom
Cruise and Val Kilmer say.


Jim.

James Egan <jegan@jegan.com> wrote in
news:n9u8411ehqp11t4j7afmav18ccf2j4kfe7@4ax.com:

And what's either one of them have to with it? That makes the NAT router a
border device no more or no less that doesn't explicitly forward requests
due to NAT. But NAT is not firewall software. You can sit there and
disagree until the *cows* come home about a NAT router being a FW appliance
-- it is not.

Duane

Duane Arnold wrote:
i made that specific point just in case you misread it as befsr41...

firewall *appliance*? you might have noticed that neither i nor the
original poster mentioned anything about a firewall *appliance*...
they're different sets of things - firewall appliances are a proper
subset of the set of firewalls...

right... i don't think anyone benefits from your firewall appliance
snobbery...

a nat router does, in fact, block or allow inbound connections (a form
of traffic) according to rules that you set up...

blocking or allowing connection attempts *is* enforcement of an access
control policy... it's not a very sophisticated access control policy,
but it is a policy for controlling access and it is enforced by the nat
router...

there are an infinite number of possible access control policies - no
firewall can enforce them all... just because a nat router doesn't
enforce the kinds of access control policies you're interested in
doesn't mean it's not a firewall...

right, i'm quoting the firewall FAQ that's posted to
comp.security.firewalls, but *i'm* the one who's wrong and the people
from that newsgroup would tell me so...

--
"we are the revenants
and we will rise up from the dead
we become the living
we've come back to reclaim our stolen breath"

I think the OP did or anyone who doesn't understand the marketing hype of
a manufacture calling a NAT router a FW when it is not a FW.

Your point is moot here. I don't care what policies that NAT router can
enforce. It doesn't have a FW is the point I made. You took it to
another level all by yourself.

The simple NAT router is a border device that forwards requests upon
solicitation for inbound traffic or blocks unsolicited inbound traffic.
Or it will allow unsolicited inbound due to port forwarding or
triggering. That's about it. Some have a little more features than others
to enfore policies. But they are not FW(s).

By your same reasoning, I can take a stripped down Win 2K or better O/S
machine using IPsec (that has FW like features) with an Internet facing
NIC and a LAN facing NIC connected to a hub. IPsec can set all the
policies in the world for inbound or outbound and a whole lot more than a
NAT router coould ever do and that machine would not be a machine running
a FW, because IPsec is not FW software. It would just be a border
device/computer not forwarding unsolicited requests.

No, only the ones who know the difference that apparently you have a hard
time understanding what the difference is. I don't think the OP does
anymore who I was posting to in the first.

You need to put two and two together and come up with four not zero and
understand that the NAT router is a NAT router and a border device and is
not a FW. But it is good enough in most cases by not forwarding
unsolicited inbound requests. A FW appliance is a different story.

Duane

Duane Arnold wrote:
well in that vein - *is too*...

yes, i took it to another level by using the definition for firewall
that i found in the comp.security.firewalls faq - that is where
'enforcing access control policies' came from... but apparently you
don't care how they define a firewall because it conflicts with
something you found on some commercial site...

according to the firewall definition in the faq i cited they are
firewalls...

[snip]
"A firewall is a system or group of systems that enforces an access
control policy between two networks. The actual means by which this is
accomplished varies widely, but in principle, the firewall can be
thought of as a pair of mechanisms: one which exists to block traffic,
and the other which exists to permit traffic."

your hypothetical system seems to fulfill the requirements of a
firewall... saying 'no it doesn't!' really doesn't refute my point
(except in a monty python sort of way)...

yoda? is that really you?... i'd make some statement about that not
parsing, but i hung up that reply when simon passed...

look, i'm using the definition right out of their faq... are you
telling me their faq is wrong? that the real participants of that group
don't endorse the content of their own faq? you aren't making a lot of
sense here...

you're getting very repetitive... i've shown you how a nat router does
meet the requirements of the definition for firewall used by
comp.security.firewalls and all you've done to refute my reasoning is
to say 'no it doesn't'... you haven't addressed any part of my argument
except the conclusion which you obviously don't like... if i'm wrong,
show me where the error is in my argument (not the conclusion)...

--
"we are the revenants
and we will rise up from the dead
we become the living
we've come back to reclaim our stolen breath"

"Melissa" <willkayakforfoodREMOVE_THIS@gmx.net> wrote in message
news:12dgc7ixqmzzp$.dlg@uni-berlin.de...

To some of us, this is humor. For instance, it is funny when people call
"ZoneAlarm" a "firewall" and say that a router isn't one.

"kurt wismer" <kurtw@sympatico.ca> wrote in message
news:JQl1e.40442$nK.1815495@news20.bellglobal.com. ..
And you took no level as far as I am concerned other than you ran somewhere
else looking for some facts.
A moot point about the differences between a NAT router with no FW and FW
appliance.

So what I snipped that?

<sinp>

A firewall examines all traffic routed between the two networks to see if it
meets certain criteria. If it does, it is routed between the networks,
otherwise it is stopped. A firewall filters both inbound and outbound
traffic. It can also manage public access to private networked resources
such as host applications. It can be used to log all attempts to enter the
private network and trigger alarms when hostile or unauthorized entry is
attempted. Firewalls can filter packets based on their source and
destination addresses and port numbers. This is known as address filtering.
Firewalls can also filter specific types of network traffic. This is also
known as protocol filtering because the decision to forward or reject
traffic is dependant upon the protocol used, for example HTTP, ftp or
telnet. Firewalls can also filter traffic by packet attribute or state.

<snip>
If you cannot understand the difference, then LOL.
And who the hell is monty python a relative of yours? ;-)

http://www.petri.co.il/block_ping_tr...with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm

Only a jackass like you would know now wouldn't you.

And neither are you.......



And I am going with the Top Dogs in that FW NG who showed and explained the
diffidence between a NAT router and a FW appliance.

And you think that you know something and some how what I have learned from
them is wrong and somehow you are right?



You need to get out of here with this.


You're becoming a PITA and I suggest that you drop a question in the FW NG
and have it answered like the OP did.



Other than that, you're clueless about a NAT router and a FW appliance.



And I want you to stop posting to me as you're going off the deep end. ;-)



Duane

"Roger Wilco" <yesman@yourservice.invalid> wrote in message
news:114bthvrdkl1h88@corp.supernews.com...
And some say that a PFW solution is no FW period -- snake oil -- but I am
not one of them and not looking for that kind of *heat* as I have seen
people go off the deep-end about that too? ;-)

Duane

Melissa wrote:
[snip]
since semantics are really just a question of meaning, most interesting
discussions are ultimately in the realm of semantics... (please excuse
the recursive semantics)

[snip]
and that behaviour is inherent in nat routers...

[snip]
ultimately, you have to pick the tool that suits *you* (not duane)...
it sounds to me like you're perfectly happy with your router... not
everyone needs a firewall as sophisticated as duane's, and some folks
would probably screw it up because of the complexity of something that
feature-rich...

[snip]
well don't look now but i'm sure there's a bunch of pedants who'll
insist that you should call it a switch instead of a router... just as
long as you don't call it a hub, 'cause that would be technically wrong...

[snip]
sorry, i just get a little tired of seeing duane jump on every
opportunity to say 'nat routers aren't firewalls'...

--
"we are the revenants
and we will rise up from the dead
we become the living
we've come back to reclaim our stolen breath"

"Melissa" wrote:

Often a natural progression in newsgroups.

Quite probably, but the journey may be entertaining. Already Duane is
resorting to insults.

[snip]
You jest (obvious from the emoticon) - this is Usenet!

That could be useful. I know little about them myself.

Let the sematics be argued as well. Kurt's good at that.

"Melissa" <willkayakforfoodREMOVE_THIS@gmx.net> wrote in message
news:1ot0b4d6yq2gr.dlg@uni-berlin.de...
No, you don't need it at that point. The only PFW solution I have running
on a machine is the laptop when it's not connected to my network. And I just
want to say that Linksys NAT router you have is a fine device and I use to
own one that had less features and cost more. In no way am I putting down a
NAT router. But on the other hand, I don't trust the NAT router and it was
pointed out to me by WatchGuard general security articles as to why I
shouldn't trust one as various attacks can be run against them. I only
point out the fact that the NAT router it's not a FW appliance in the true
sense of a device running FW software and it can be attacked. And it was
attacked when I was using one that prompted me to go get something else.
Nothing has come past that WG -- nothing. On the other hand, the NAT router
does protect the network in the basic physical sense - like a firewall or
firedoor - but that's as far as it goes as far as I am concerned because
that door can be knocked down and the door opened. And with the door closed
and wall up -- ports closed.



<snip>

The earliest firewalls were simply routers. The term firewall comes from the
fact that by segmenting a network into different physical subnetworks, they
limited the damage that could spread from one subnet to another just like
firedoors or firewalls.

<snip>

If I do supplement behind the WG, it will be with IPsec on the Web server
to further secure it if I open port 80, 20 and 21 again as my ISP is death
on a Web server running on their network. I slip in an FTP one in a while.
;-)

http://www.microsoft.com/technet/its...y/ipsecld.mspx

I am curious about that Linksys. Can it ensure or can you set rules to only
allow HTTP to come down port 80 or FTP down 20 and 21?



And it's that moron Kirk W. who needs to go off the deep end not me. And no
*we cannot just get along as you can see*. And I am tired of that *clown*
and I don't even know who that moron is as I have not paid any attention to
him, until now.

i have to go and get food *blood sugar* running low.

BYE!

Duane

Well stay tuned for Sematics or Semantics Man hits the killfile I am tired
of him.

Duane

On 26-Mar-2005, Melissa <willkayakforfoodREMOVE_THIS@gmx.net> wrote:

Melissa I bought my Watchguard SOHO6 and love it on Ebay for $125. If you
look there you can get a good deal there. Even if the unit was not
registered you can register it with Watchguard and get I think ninety days
of free support. They have great tech support but you have to pay and it to
get new firmware upgrades all so after the ninety days are up. It is a great
firewall for home or small office.

"Gary" <zero@nospam.com> wrote in
news:_6udndYZcaOMBdvfRVn-iA@adelphia.com:


Here is a link that comes right down to it and talks about packet
filtering, SPI, appliaction gateways, NAT, routers, FW appliances and
personal FW(s) etc, etc to help you make a proper selection.

http://www.more.net/technical/netserv/tcpip/firewalls/

HTH

Duane

"Duane Arnold" <Notme@Notme.com> wrote in message
news:X7n1e.107734$Ze3.20787@attbi_s51...
Not you in particular, Duane. It's just that how does a program
control the information flow between two networks if it is hosted on one
of the networked computers? It's like the wearing of body armor under
the skin. PFW's have many features that have become associated with
features added to real firewall devices. Barring a real firewall, a
computer or computer network is only as safe from intrusion as the
software it is running allows it to be - and a PFW is software running
on that same computer or network it hopes to protect. Sure, PFW's can be
useful, but sitting 'between' the networks it controls traffic to and
from is where real firewalls go.

The term "firewall appliance" is probably just a shortened version of
"firewall-like appliance" as it pertains to the
snake-o...err...marketing departments of the vendors supplying them,
that is - if they are not on devices dedicated to that task.

You might want to read the article in the link as my views and knowledge
about firewalls has been increased or changed. ;-)
And I see why some Top Dogs in the FW NG are saying what they are saying.

http://www.more.net/technical/netserv/tcpip/firewalls/

Duane

Duane Arnold wrote:
i didn't run anywhere, duane... the comp.security.firewalls faq is the
reference i've been using for some time now... i first posted a link to
it in alt.comp.virus in 2003...

i pointed it out to you for a number of reasons, not the least of which
being to show that there is more than one definition... the definition
you're peddling is not 'the one true definition'... there are other
definitions that are just as valid as the one you obviously prefer, and
according to some of those definitions a nat router qualifies as a
firewall...

[snip]
if you cannot understand that your definition of firewall isn't an
absolute truth then you've got bigger problems than i care to address...

[snip]
*their* faq says otherwise... if they no longer endorse the contents of
their own faq or if they interpret their faq in a way other than i have
done then you should be supporting your argument with links to that
rather than hurling insults...

what i think is that the people in comp.security.firewalls have
provided a firewall definition that is demonstrably less restrictive
than the one you choose to use, and by their definition a nat router is
a firewall...

what i think is that you obviously don't agree with this...

what i think is that you have done nothing to support your argument
except parrot what you've read on vendor sites and claim that the
people in comp.security.firewalls believe X rather than what's in their
own faq without actually posting proof that they believe X...

you need to learn how to formulate rational arguments...

really... so should i ask them if they still believe their own faq?

because, really, the question at hand ("what is a firewall?") is
supposed to have already been answered by their faq... i shouldn't need
to ask them directly, that's what faq's are for...

--
"we are the revenants
and we will rise up from the dead
we become the living
we've come back to reclaim our stolen breath"