flatten and rebuild---REPLACE! - Firewalls

This is a discussion on flatten and rebuild---REPLACE! - Firewalls ; And so on....the whole concept of trusted servers is so lame. Seems that an axiom has been in force the whole time' "any advance in security technology is outdated before implementation due to the sheer capacity for rising to the ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: flatten and rebuild---REPLACE!

  1. flatten and rebuild---REPLACE!


    And so on....the whole concept of trusted servers is so lame.
    Seems that an axiom has been in force the whole time' "any advance in
    security technology is outdated before implementation due to the sheer
    capacity for rising to the challenge" You may quote me "miffed".[grin]

    I suspect the rebuilt 'flattener' is correct...I am now thinking back to
    these lines:
    1/putting a $100 W95lite machine on the Internet, disabling EVERYthing
    except port 80 HTTP TCP/IP in/out.
    2/ checking email at the library.
    3/ Buying mp3s [ok, seriously though.....]
    4/burning the CDs with shareware sitting in my drawer since they
    probably had the prototype plastic Semiconductor junctions molded into
    them allowing transmission to a w-lan [i kill me].
    5/OR....putting and useless old puter [see #1, voida (oops..works
    though) VIDA supra] on the net and leaving it wide open as a honey pot
    and sniffing the packets with sniper rifle in hand....makes me feel
    better if not superior.

    5a/ using same puter AS "5/" until it gets smoked and instead of
    flattening....just flatten it and replace. Thats it!
    FLATTEN AND REPLACE! $50 PIII 800s abound. And we all know they are
    just as fast running the era software right! Wait, Faster running prior
    era software devoid of OuthousE and IsajokE.

    6/Giving up and going back to print media... no, WAIT...Snailmail spam
    was the first and still is pervasive.......

    "your prise is waiting for __________ to collect it. Reply soon. Offer
    dated".

    If I could only reach the trigger with the barrel pointed at my face!

    miffed. S'pose?

  2. Re: flatten and rebuild---REPLACE!

    warf wrote:

    > I suspect the rebuilt 'flattener' is correct...I am now thinking back to
    > these lines:
    > 1/putting a $100 W95lite machine on the Internet, disabling EVERYthing
    > except port 80 HTTP TCP/IP in/out.


    Please, do so. You really don't need DNS and ICMP, neither HTTPS. ;-D
    Anyway, with Win95 you're ****ed anyway.

    > 2/ checking email at the library.


    Stupid idea.

    > 3/ Buying mp3s [ok, seriously though.....]


    Well, what about it? If those guys at AllOfMP3 and eMusic would actually
    offer what I want, I'd stop legally downloading it for free from P2P
    networks.

    > 5/OR....putting and useless old puter [see #1, voida (oops..works
    > though) VIDA supra] on the net and leaving it wide open as a honey pot
    > and sniffing the packets with sniper rifle in hand....makes me feel
    > better if not superior.


    But well, no other effect. Honeypots don't work as a security measure.

  3. Re: flatten and rebuild---REPLACE!

    Sebastian Gottschalk wrote:

    > warf wrote:
    >
    >
    >>I suspect the rebuilt 'flattener' is correct...I am now thinking back to
    >>these lines:
    >>1/putting a $100 W95lite machine on the Internet, disabling EVERYthing
    >>except port 80 HTTP TCP/IP in/out.

    >
    >
    > Please, do so. You really don't need DNS and ICMP, neither HTTPS. ;-D
    > Anyway, with Win95 you're ****ed anyway.


    I am actually playfully agreeing with your basic philosophy Seb~. I
    tried to disable DNS and ICMP and....oh, your being sarcastic. Silly me.

    Seriously though, I have tried to get my cable ISP to tell me what
    minimum I require enabled for a access and all i get is ports 80,25,110.
    Nothing about which protocols, nothing about 'inbound or outbound' ...
    I have found out that without DNSlookup the process is so slow i might
    as well get dialup, I also found that i can't refresh my IP
    without...DCOM? so, by trial and error I creep along on my hands and
    knees looking for a reasonable solution

    >>2/ checking email at the library.

    >
    > Stupid idea.


    I know...I'm so weak.

    warf,,,,begs your advice.

  4. Re: flatten and rebuild---REPLACE!

    warf wrote:

    > Seriously though, I have tried to get my cable ISP to tell me what
    > minimum I require enabled for a access and all i get is ports 80,25,110.


    You should really consider if this lousy support is worth the money you're
    paying.

    > Nothing about which protocols, nothing about 'inbound or outbound' ...


    Well, maybe they assume that you should know at least the most important
    details about the protocols involved if you're asking for such things...

    > I have found out that without DNSlookup the process is so slow i might
    > as well get dialup,


    Huh? Without DNS, you won't get any DNS resolving. Are you twisting this
    with the Windows DNS caching daemon? What about your DNS configuration?

    > I also found that i can't refresh my IP without...DCOM?


    Huh? That's definitely strange.

    > so, by trial and error I creep along on my hands and
    > knees looking for a reasonable solution


    Well, why don't you take a look at ? An extensive
    discussion about what ports are used by which daemons and how to configure
    them.

  5. Re: flatten and rebuild---REPLACE!

    On Thu, 14 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    , warf wrote:

    >I am now thinking back to these lines:
    >1/putting a $100 W95lite machine on the Internet, disabling EVERYthing
    >except port 80 HTTP TCP/IP in/out.


    I know you are being facetious here (no one is crazy enough to trust
    windoze95 near a network connection, never mind the Internet), but this
    point suggests a misunderstanding on port numbers and how they are used
    in the big picture. Think what you put on an envelope when you send mail.
    You put the address of the destination - and in the Internet, this is
    found in two locations. The IP address of the destination is the first
    address (bytes 16 to 19) of the IP header - which sends the packet to
    the destination _computer_ out "there". But in the TCP header, there is
    a destination _port_number_ in bytes 2 and 3 to tell the which service on
    that destination computer to deliver this packet to. See RFC1180 (or
    RFC0791 and 0793 if you want the actual specifications) for additional
    details.

    0791 Internet Protocol. J. Postel. September 1981. (Format: TXT=97779
    bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005)
    (Status: STANDARD)

    0793 Transmission Control Protocol. J. Postel. September 1981.
    (Format: TXT=172710 bytes) (Updated by RFC3168) (Also STD0007)
    (Status: STANDARD)

    1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991.
    (Format: TXT=65494 bytes) (Status: INFORMATIONAL)

    But just as you put a "return address" on that letter, the packet also
    has your IP address (in bytes 12 to 15 of the IP header), and the source
    port number (in bytes 0 and 1 of the TCP header) where the packet came
    from on your computer. Point is, the 'source' and 'destination' port
    numbers are not the same. If they were, what is the point for having
    both in the header? The server is usually on a "well known port" (in
    this case, 80), but the client will be on an ephemeral port number (the
    "next available number) between 1025 and 65535.

    As you are not offering services to the world, anyone attempting to
    connect to a port between 0 and 1023 on your system should get a "No one
    lives here" answer - which occurs BY DEFAULT when there is nothing on
    the port. With one exception (DHCP client), there should never be any
    packet leaving your system with a _source_ port in that range.

    Old guy

  6. Re: flatten and rebuild---REPLACE!

    Moe Trin wrote:

    > On Thu, 14 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    > , warf wrote:
    >
    >
    >>I am now thinking back to these lines:
    >>1/putting a $100 W95lite machine on the Internet, disabling EVERYthing
    >>except port 80 HTTP TCP/IP in/out.

    >
    >
    > I know you are being facetious here (no one is crazy enough to trust
    > windoze95 near a network connection, never mind the Internet), but this
    > point suggests a misunderstanding on port numbers and how they are used
    > in the big picture. Think what you put on an envelope when you send mail.
    > You put the address of the destination - and in the Internet, this is
    > found in two locations. The IP address of the destination is the first
    > address (bytes 16 to 19) of the IP header - which sends the packet to
    > the destination _computer_ out "there". But in the TCP header, there is
    > a destination _port_number_ in bytes 2 and 3 to tell the which service on
    > that destination computer to deliver this packet to. See RFC1180 (or
    > RFC0791 and 0793 if you want the actual specifications) for additional
    > details.
    >
    > 0791 Internet Protocol. J. Postel. September 1981. (Format: TXT=97779
    > bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005)
    > (Status: STANDARD)
    >
    > 0793 Transmission Control Protocol. J. Postel. September 1981.
    > (Format: TXT=172710 bytes) (Updated by RFC3168) (Also STD0007)
    > (Status: STANDARD)
    >
    > 1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991.
    > (Format: TXT=65494 bytes) (Status: INFORMATIONAL)
    >
    > But just as you put a "return address" on that letter, the packet also
    > has your IP address (in bytes 12 to 15 of the IP header), and the source
    > port number (in bytes 0 and 1 of the TCP header) where the packet came
    > from on your computer. Point is, the 'source' and 'destination' port
    > numbers are not the same. If they were, what is the point for having
    > both in the header? The server is usually on a "well known port" (in
    > this case, 80), but the client will be on an ephemeral port number (the
    > "next available number) between 1025 and 65535.
    >
    > As you are not offering services to the world, anyone attempting to
    > connect to a port between 0 and 1023 on your system should get a "No one
    > lives here" answer - which occurs BY DEFAULT when there is nothing on
    > the port. With one exception (DHCP client), there should never be any
    > packet leaving your system with a _source_ port in that range.
    >
    > Old guy


    SERIOUSLY...thanks. I am of course at your mercy as you 'might' be
    regarding D-orbital ab inito calculations for bis-phenylphosphorylation
    of....Motrin, or whatever.

    As is apparent, I am asking these questions to learn enough to 'play
    ball' but am also realistic to know [I reiterate] a masters in comp Sci
    in order to stick it to HP ain;t gonna happen.
    I would however appreciate a reference to an intermediate
    treatise....magazine, covering enough of the basics to at least enable
    me to ask the right questions. At least then I might be able to assist
    myself. Really, there is a lot of chest pounding in these forums but the
    chanced to educate the eager is the most noble use of these ephemeral
    packets these is no?
    Warf...looking to you[se] for a ray of light.

  7. Re: flatten and rebuild---REPLACE!

    Moe Trin wrote:

    > As you are not offering services to the world, anyone attempting to
    > connect to a port between 0 and 1023 on your system should get a "No one
    > lives here" answer - which occurs BY DEFAULT when there is nothing on
    > the port. With one exception (DHCP client), there should never be any
    > packet leaving your system with a _source_ port in that range.


    What about DNS query fallback? If some queries with source port > 1024
    fail, some resolvers resort to source port 53. Also quite common behind NAT
    routers.

  8. Re: flatten and rebuild---REPLACE!

    Sebastian Gottschalk wrote:
    > Moe Trin wrote:
    >
    >
    >>As you are not offering services to the world, anyone attempting to
    >>connect to a port between 0 and 1023 on your system should get a "No one
    >>lives here" answer - which occurs BY DEFAULT when there is nothing on
    >>the port. With one exception (DHCP client), there should never be any
    >>packet leaving your system with a _source_ port in that range.

    >
    >
    > What about DNS query fallback? If some queries with source port > 1024
    > fail, some resolvers resort to source port 53. Also quite common behind NAT
    > routers.


    Sigh, a lot like like listening to very intelegent men argue specifics
    of hard science from opposite perspectives; how can two correct people
    be in disagreement? [as i suspected, no hope for me.]
    miffed again.

  9. Re: flatten and rebuild---REPLACE!

    On Sat, 16 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    , warf wrote:

    >I would however appreciate a reference to an intermediate
    >treatise....magazine, covering enough of the basics to at least enable
    >me to ask the right questions. At least then I might be able to assist
    >myself.


    Now that would be a good question. I don't subscribe to magazines
    like that - they tend to be rather useless for me as everything is aimed
    at the windoze user level. The more technical magazines tend to expect
    that the reader has the basics, or is willing to spend the time scanning
    the details out of RFCs and the like. Do you have access to a good
    library? One of the better books in "TCP/IP Illustrated, Volume 1" by
    the late W. Richard Stevens (Addison Wesley, ISBN 0-201-63346-9, 1994
    [there is a 1996 edition as well], 576 pages, US$lots) that is normally
    used as a text book in college networking courses. I would NOT
    recommend buying it in this situation, but if you can borrow a copy,
    it may be worth the read.

    As for the way an application communicates, other than the simple
    overview (in Chapter 1 of the Stevens book) this tends to be more O/S
    specific, and as I've stated, I don't do windoze.

    Old guy


  10. Re: flatten and rebuild---REPLACE!

    Moe Trin wrote:

    > On Sat, 16 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    > , warf wrote:
    >
    >
    >>I would however appreciate a reference to an intermediate
    >>treatise....magazine, covering enough of the basics to at least enable
    >>me to ask the right questions. At least then I might be able to assist
    >>myself.

    snip....>
    > As for the way an application communicates, other than the simple
    > overview (in Chapter 1 of the Stevens book) this tends to be more O/S
    > specific, and as I've stated, I don't do windoze.
    >
    > Old guy
    >


    SIGH.......
    Warf.

+ Reply to Thread