D
David Maynard
Ed said:
What port did zone alarm let through that it wasn't supposed to?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
What port did zone alarm let through that it wasn't supposed to?
S
spodosaurus
3200+ said:=----
I would never ever use anything by Gigabyte again. IMHO their products are
of inferior design and their technical support is so poor that it is hard to
believe they get away with it.
Jon
Whereas I'm a loyal gigabyte customer. All of my computers run their
boards. The only problem I had was one that failed outside of the one
year warranty offered by all computer shops here in Australia. So, the
distributor stepped in when I asked them and sent the board back for me
and gigabyte replaced it with a new board (a better model). I don't like
their northbridge fans, but that could be said for any manufacturer that
uses that set up.
Cheers,
Ari
--
spammage trappage: replace fishies_ with yahoo
I'm going to die rather sooner than I'd like. I tried to protect my
neighbours from crime, and became the victim of it. Complications in
hospital following this resulted in a serious illness. I now need a bone
marrow transplant. Many people around the world are waiting for a marrow
transplant, too. Please volunteer to be a marrow donor:
http://www.abmdr.org.au/
http://www.marrow.org/
S
spodosaurus
Scott said:If I had of known that before buying a gigabyte motherboard.....
This is a copy of the email I sent them today. By the sounds of it I may get
better support here.
"When the system has booted up and has been running smoothly for 5mins to an
hour, the system suddenly freezes. During this time I can press Ctrl-Alt-Del
to bring up the task manager but nothing is using 100% of the processor.
Most programs are using 0-10% but nothing more. I can shut down programs
from the task manager, but I cannot use them. To say this, if I am writing
to cd or dvd, it will continue to do so - But I cannot click on any menus or
'ok' or 'cancel' buttons if any happen to be on screen. This problem can
last from 30 seconds to 5mins and then I have control over my programs again
like nothing had ever happened. My virus scanner is completely up to date
(Norton antivirus) and both firewalls (Norton and Windows SP2) are up to
date and running as they should.
Another problem I have is that sometimes I cannot move files to another
folder using drag and drop yet if I cut and paste this works without a
hitch.
Can you think of any reason why this would happen.
My motherboard drivers and Bios are bang up to date."
Scott
To me, that does not sound like a motherboard problem. I don't see why
they should use their resources to fix your software problems.
Ari
--
spammage trappage: replace fishies_ with yahoo
I'm going to die rather sooner than I'd like. I tried to protect my
neighbours from crime, and became the victim of it. Complications in
hospital following this resulted in a serious illness. I now need a bone
marrow transplant. Many people around the world are waiting for a marrow
transplant, too. Please volunteer to be a marrow donor:
http://www.abmdr.org.au/
http://www.marrow.org/
S
spodosaurus
Ed said:Using online tests that check on ports.
LOL
--
spammage trappage: replace fishies_ with yahoo
I'm going to die rather sooner than I'd like. I tried to protect my
neighbours from crime, and became the victim of it. Complications in
hospital following this resulted in a serious illness. I now need a bone
marrow transplant. Many people around the world are waiting for a marrow
transplant, too. Please volunteer to be a marrow donor:
http://www.abmdr.org.au/
http://www.marrow.org/
S
spodosaurus
Roy said:Getting back to the question at hand, it is necessary that you decide what
your upgrades are going to be. If you are looking at the Nvidia Chipset with
a 939 pin CPU them the highest rated motherboards on the market are the MSI
and DFI brands. If you intend on staying with the Via Chipset then both the
Asus and Abit motherboards are rated very high, and will still be able to
use AGP video cards.
Be careful, because in the 939 pin selection of motherboards there are the
new SLI boards which will require an upgrade to the new PCI-Express Video
Cards which are not cheap.
And the performance for the SLI boards is not really any better (often
worse) than regular boards that cost 50% less.
Ari
--
spammage trappage: replace fishies_ with yahoo
I'm going to die rather sooner than I'd like. I tried to protect my
neighbours from crime, and became the victim of it. Complications in
hospital following this resulted in a serious illness. I now need a bone
marrow transplant. Many people around the world are waiting for a marrow
transplant, too. Please volunteer to be a marrow donor:
http://www.abmdr.org.au/
http://www.marrow.org/
E
Ed Light
I can't remember. It was some sort of Windows related port.David Maynard said:What port did zone alarm let through that it wasn't supposed to?
I'll be gone from newsgroups until mid-April.
--
Ed Light
Smiley :-/
MS Smiley :-\
Send spam to the FTC at
(e-mail address removed)
Thanks, robots.
D
David Maynard
Ed said:I can't remember. It was some sort of Windows related port.
What I'm trying to figure out is if it really 'leaked' a port or if it's
simply that one was properly enabled and you just didn't realize it.
I'll be gone from newsgroups until mid-April.
ok
E
Ed Light
David Maynard said:What I'm trying to figure out is if it really 'leaked' a port or if it's
simply that one was properly enabled and you just didn't realize it.
The online test said the port was visible, or something.
It was shields up or something like that.
--
Ed Light
Smiley :-/
MS Smiley :-\
Send spam to the FTC at
(e-mail address removed)
Thanks, robots.
D
David Maynard
Ed said:The online test said the port was visible, or something.
It was shields up or something like that.
Ok. Doesn't sound like we're going to get much farther on that one.
E
Ed Light
David Maynard said:Ok. Doesn't sound like we're going to get much farther on that one.
Here's Shields Up.
http://grc.com/
After searching a bit I found a note to myself that universal plug and play
opens up a port to the internet despite ZoneAlarm. Note dated 12-25-02. It
says to uninstall it.
http://grc.com/default.htm and scroll down to universal plug and pray.
I'll really be gone now, unless I come in for another session tonight, for a
couple of weeks.
--
Ed Light
Smiley :-/
MS Smiley :-\
Send spam to the FTC at
(e-mail address removed)
Thanks, robots.
E
Ed Light
Ed Light said:Here's Shields Up.
http://grc.com/
After searching a bit I found a note to myself that universal plug and
play opens up a port to the internet despite ZoneAlarm. Note dated
12-25-02. It says to uninstall it.
http://grc.com/default.htm and scroll down to universal plug and pray.
I'll really be gone now, unless I come in for another session tonight, for
a couple of weeks.
Happy to say, Shield Up shows ports 5000 and 1900 upnp stealthed with only
ZoneAlarm with Antivirus.
Glad I revisited it.
And this is with the little utility they provide saying that upnp is on.
But I guess I'll turn it off.
--
Ed Light
Smiley :-/
MS Smiley :-\
Send spam to the FTC at
(e-mail address removed)
Thanks, robots.
D
David Maynard
Ed said:Here's Shields Up.
http://grc.com/
After searching a bit I found a note to myself that universal plug and play
opens up a port to the internet despite ZoneAlarm. Note dated 12-25-02. It
says to uninstall it.
http://grc.com/default.htm and scroll down to universal plug and pray.
I'll really be gone now, unless I come in for another session tonight, for a
couple of weeks.
Ah, yes, uPnP. Well, that makes sense.
D
David Maynard
Ed said:Happy to say, Shield Up shows ports 5000 and 1900 upnp stealthed with only
ZoneAlarm with Antivirus.
Glad I revisited it.
And this is with the little utility they provide saying that upnp is on.
But I guess I'll turn it off.
Yes, I don't use any uPnP devices so I have it disabled on all my machines
but if one were using it that would be an example for the usefulness of two
firewalls, one on the primary internet connection, I.E. the router, to
block all "for local use only" ports off the internet and then one on the
local machine to protect yourself from a behind the firewall attack, like
some yahoo inadvertently installing a virus on his machine that is,
therefor, on the interior local LAN.
S
spodosaurus
Ed said:The online test said the port was visible, or something.
It was shields up or something like that.
That's a crap tester. There's no point in running two software firewalls
except to cause problems for the user. Buy a router with SPI and use
that as a hardware firewall if you really think you need the protection.
Ari
--
spammage trappage: replace fishies_ with yahoo
I'm going to die rather sooner than I'd like. I tried to protect my
neighbours from crime, and became the victim of it. Complications in
hospital following this resulted in a serious illness. I now need a bone
marrow transplant. Many people around the world are waiting for a marrow
transplant, too. Please volunteer to be a marrow donor:
http://www.abmdr.org.au/
http://www.marrow.org/
J
Jay T. Blocksom
[f'ups set to <alt.comp.periphs.mainboard.asus>, exclusively]
You're kidding yourself.
First, these so-called "software firewalls" are ALL inherently flawed, by
simple virtue of the fact that they are running on the same system they
attempt to protect -- that is a functional oxymoron. A truism:
You can't block a port with software that runs on the same machine where
the attacks are aimed. That's like trying to stop bullets by shoving
Kevlar up your backside. By the time the bullet hits the Kevlar, the
damage has been done.
-- Morely 'Spam is theft' Dotes in NANAE, 13-AUG-2003
But beyond that, running TWO of them is just plain silly. If either
pseudo-firewall is intelligently designed and properly configured, then it
will by itself provide ALL the "protection" that any such pseudo-firewall is
capable of. And if it is *not* intelligently designed and properly
configured, then adding yet another grossly broken "firewall" isn't going to
buy you anything (except headaches, of course).
No, you're not.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
[snip][snip]
Nero said:What the kinhell you runnin two firewalls for?
Why run SP2 firewall AND Norton??
Think you will be better protected?
That's like wearin a belt and suspenders
I'm running two firewalls for extra protection.
You're kidding yourself.
First, these so-called "software firewalls" are ALL inherently flawed, by
simple virtue of the fact that they are running on the same system they
attempt to protect -- that is a functional oxymoron. A truism:
You can't block a port with software that runs on the same machine where
the attacks are aimed. That's like trying to stop bullets by shoving
Kevlar up your backside. By the time the bullet hits the Kevlar, the
damage has been done.
-- Morely 'Spam is theft' Dotes in NANAE, 13-AUG-2003
But beyond that, running TWO of them is just plain silly. If either
pseudo-firewall is intelligently designed and properly configured, then it
will by itself provide ALL the "protection" that any such pseudo-firewall is
capable of. And if it is *not* intelligently designed and properly
configured, then adding yet another grossly broken "firewall" isn't going to
buy you anything (except headaches, of course).
[snip]I like to be careful just incase someone cracks through one of them, at
least I'm protected that little bit more.
No, you're not.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
B
Ben Pope
Jay said:[f'ups set to <alt.comp.periphs.mainboard.asus>, exclusively]
[snip][snip]
Nero said:What the kinhell you runnin two firewalls for?
Why run SP2 firewall AND Norton??
Think you will be better protected?
That's like wearin a belt and suspenders
I'm running two firewalls for extra protection.
You're kidding yourself.
Agreed. Never run 2 firewalls on one machine.
First, these so-called "software firewalls" are ALL inherently flawed, by
simple virtue of the fact that they are running on the same system they
attempt to protect -- that is a functional oxymoron. A truism:
You can't block a port with software that runs on the same machine where
the attacks are aimed. That's like trying to stop bullets by shoving
Kevlar up your backside. By the time the bullet hits the Kevlar, the
damage has been done.
-- Morely 'Spam is theft' Dotes in NANAE, 13-AUG-2003
I disagree. A software firewall is useful to block ports and hide
servers (services) on your machine from the outside world. If these
servers have a security flaw, then they could be exploited from outside,
and the software firewall will be able to protect you. It's also good
for blocking access to the internet from rogue software on your machine.
They can also hide you from people who port scan (poorly, but quickly),
by turning off ping etc. (Not that I think turning off ping is an
effective security measure).
Of course, they can't defend your machine from a DoS style attack, but
then a hardware firewall isn't going to help much more for the home user.
Ben
J
Jay T. Blocksom
[snip]Jay T. Blocksom wrote: [snip]
First, these so-called "software firewalls" are ALL inherently flawed, by
simple virtue of the fact that they are running on the same system they
attempt to protect -- that is a functional oxymoron. A truism:
You can't block a port with software that runs on the same machine
where the attacks are aimed. That's like trying to stop bullets by
shoving Kevlar up your backside. By the time the bullet hits the
Kevlar, the damage has been done.
-- Morely 'Spam is theft' Dotes in NANAE, 13-AUG-2003
I disagree. A software firewall is useful to block ports and hide
servers (services) on your machine from the outside world.
No, it can't, for precisely the reasons already cited.
If your system is poorly configured and/or you do not exercise good control
over what software is permitted to be installed/run/etc., then it *might* be
useful as sort of a "nagging nanny" to ride herd on the (clearly incompetent)
user. But if the user is dumb enough to need that, why presume that he/she is
smart enough to benefit from it? And besides, this is also the epitome of the
"treat the symptom" approach, as opposed to excising the disease.
[snip]If these
servers have a security flaw, then they could be exploited from outside,
and the software firewall will be able to protect you.
Wrong. For any "firewall" to be effective, it MUST stand *between* the threat
and the system being protected. So-called "software firewalls"
_by_definition_ expose at least part (usually, a large part) of the
"protected" system to the world.
[snip]It's also good
for blocking access to the internet from rogue software on your machine.
See above cf. "nagging nanny".
[snip]Of course, they can't defend your machine from a DoS style attack, but
then a hardware firewall isn't going to help much more for the home user.
You haven't seen my firewall's syslog output, have you?
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
B
Ben Pope
Jay said:[snip]I disagree. A software firewall is useful to block ports and hide
servers (services) on your machine from the outside world.
No, it can't, for precisely the reasons already cited.
If your system is poorly configured and/or you do not exercise good control
over what software is permitted to be installed/run/etc., then it *might* be
useful as sort of a "nagging nanny" to ride herd on the (clearly incompetent)
user. But if the user is dumb enough to need that, why presume that he/she is
smart enough to benefit from it? And besides, this is also the epitome of the
"treat the symptom" approach, as opposed to excising the disease.
You misunderstand what I wrote. To rephrase:
A software firewall can prevent the outside world from seeing the
services running on your machine.
[snip]If these
servers have a security flaw, then they could be exploited from outside,
and the software firewall will be able to protect you.
Wrong. For any "firewall" to be effective, it MUST stand *between* the threat
and the system being protected. So-called "software firewalls"
_by_definition_ expose at least part (usually, a large part) of the
"protected" system to the world.
Such as? Obviously there eis some contact with the outside world... but
you HAVE to do that in order to effectively do many of the things a user
wants to do. Unless you are saying that a forwarded port from a
hardware router offers more protection somehow...
I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world. If I sit behind a software firewall,
that only allows packets through on those two ports, then what is the
difference between that and forwarding those two ports from a hardware
router? My machine is exposed to the world, on those 2 ports... any
software vulnarabilty in my firewall (be it hardware or software
firewall) could pose a threat. As could any vulnerabilty in Apache or
Jetty.
[snip]It's also good
for blocking access to the internet from rogue software on your machine.
See above cf. "nagging nanny".
Indeed. But spyware etc. gets on the machine from time to time and
having my firewall ask me if I want the new process to access the
internet is pretty useful in determining that it exists, or that the
software I thought I was installing might be a bit dubious.
[snip]Of course, they can't defend your machine from a DoS style attack, but
then a hardware firewall isn't going to help much more for the home user.
You haven't seen my firewall's syslog output, have you?
No, and you haven't told me why I would want to. Assuming that your
hardware firewall protects you from a DoS attack, how is that useful for
the average user who just wants to browse the internet? The connection
is down either way.
Ben
J
Jay T. Blocksom
[snip]Jay T. Blocksom wrote: [snip]If your system is poorly configured and/or you do not exercise good
control over what software is permitted to be installed/run/etc., then it
*might* be useful as sort of a "nagging nanny" to ride herd on the
(clearly incompetent) user. But if the user is dumb enough to need that,
why presume that he/she is smart enough to benefit from it? And besides,
this is also the epitome of the "treat the symptom" approach, as opposed
to excising the disease.
You misunderstand what I wrote. To rephrase:
A software firewall can prevent the outside world from seeing the
services running on your machine.
Not in the scenario you later described. Read on...
[snip][snip]If these
servers have a security flaw, then they could be exploited from
outside, and the software firewall will be able to protect you.
Wrong. For any "firewall" to be effective, it MUST stand *between* the
threat and the system being protected. So-called "software firewalls"
_by_definition_ expose at least part (usually, a large part) of the
"protected" system to the world.
Such as?
The so-called "software firewall" program itself, for starters -- and
therefore, all of the user space available to that program (which, in the case
of many if not most WinBoxen, is the whole machine).
So, in addition to the vulnerabilities inherent in that "software firewall"
(cf.: <http://cert.uni-stuttgart.de/archive/bugtraq/2003/08/msg00056.html>,
<http://www.kb.cert.org/vuls/id/634414>,
<http://www.kb.cert.org/vuls/id/682110>,
<http://www.kb.cert.org/vuls/id/637318>,
<http://samspade.org/d/persfire.html>, <http://samspade.org/d/firewalls.html>,
etc.), you basically expose ALL of Windows, with its chronic legion of slowly-
or never-patched vulnerabilities (cf.
<http://secunia.com/advisories/14512/print/>,
<http://secunia.com/advisories/12670/print/>,
<http://secunia.com/advisories/11482/print/>,
<http://www.techweb.com/article/prin...MEKJVN?articleID=59200229&site_section=700028>,
<http://www.internetweek.com/shared/printableArticle.jhtml?articleID=19205530>,
<http://secunia.com/advisories/10589/print/>,
<http://www.elixir.com.au/news/default.cfm?nav_id=2&id=40>, etc.) DIRECTLY to
the 'net.
Hence, this is pretty much the definition of "defeating the purpose".
Or, if it will make it any clearer to you, look at it from the other way
around: With any so-called "software firewall", you are in effect running
your general-purpose OS (typically Windows -- eeek!) *and* all of your
application programs *on* your firewall machine, which is directly
antithetical to proper security procedures: Rule #1 is to NEVER enable any
unnecessary processes or services, *especially* on a device which faces the
outside world.
[snip]Obviously there eis some contact with the outside world... but
you HAVE to do that in order to effectively do many of the things a user
wants to do.
Not true, at least not as stated. Your web-server scenario below is an
atypical exception; but even that need not engender the degree of exposure you
presume.
[snip]Unless you are saying that a forwarded port from a
hardware router offers more protection somehow...
Of course -- at least presuming that "hardware router" is properly configured.
I'm not saying that it necessarily provides complete isolation (again, see
your "web server" scenario below); but it's definitely both another step
further removed from "the wild" *and* offers an opportunity to be selective
(think SPI) about what gets forwarded back and forth.
[snip]I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world.
Which is not the case for the typical user, who does NOT need to run public
servers. But even assuming that scenario, those public servers should be on a
separate interface (sometimes called a "DMZ" or "Orange interface"), where
they are both isolated from your "protected" network (sometimes called the
"Green interface"), and where ONLY the traffic necessary for that service is
permitted through.
[snip]If I sit behind a software firewall,
But that's just it: You're NOT "behind" that so-called firewall; you're on
it, in it, in front of it, and all around it -- all at the same time.
[snip]that only allows packets through on those two ports, then what is the
difference between that and forwarding those two ports from a hardware
router?
You're assuming a perfect world.
The problem is not (so much) what happens when everything works as intended.
The larger problem is what happens when UNintended things happen. And in the
"software firewall" model, virtually any breach is by definition a
catastrophic disaster, simply because so much "other stuff" instantly becomes
available to the attacker.
[snip]My machine is exposed to the world, on those 2 ports...
Your machine is exposed to the world, period. The limitation to "on those 2
ports" is only valid in a very limited context.
[snip]any
software vulnarabilty in my firewall (be it hardware or software
firewall) could pose a threat. As could any vulnerabilty in Apache or
Jetty.
That is correct. There is no such thing as a perfectly secure computer
system.
But the bigger problem is that, in the "software firewall" model, any
vulnerability in ANY software running on that box can (and will) *also* pose a
threat to the integrity of the firewall itself. In short, the whole thing is
a house of cards.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
B
Ben Pope
Jay said:[snip]A software firewall can prevent the outside world from seeing the
services running on your machine.
Not in the scenario you later described. Read on...
[snip]Such as?
The so-called "software firewall" program itself, for starters -- and
therefore, all of the user space available to that program (which, in the case
of many if not most WinBoxen, is the whole machine).
I'd rather trust a software firewall designed with security in mind,
than the collection of MS services running on my machine. The servers I
run are not from MS at all.
So, in addition to the vulnerabilities inherent in that "software firewall"
(cf.: <http://cert.uni-stuttgart.de/archive/bugtraq/2003/08/msg00056.html>,
<http://www.kb.cert.org/vuls/id/634414>,
<http://www.kb.cert.org/vuls/id/682110>,
<http://www.kb.cert.org/vuls/id/637318>,
<http://samspade.org/d/persfire.html>, <http://samspade.org/d/firewalls.html>,
etc.), you basically expose ALL of Windows, with its chronic legion of slowly-
or never-patched vulnerabilities (cf.
<http://secunia.com/advisories/14512/print/>,
<http://secunia.com/advisories/12670/print/>,
<http://secunia.com/advisories/11482/print/>,
<http://www.techweb.com/article/prin...MEKJVN?articleID=59200229&site_section=700028>,
<http://www.internetweek.com/shared/printableArticle.jhtml?articleID=19205530>,
<http://secunia.com/advisories/10589/print/>,
<http://www.elixir.com.au/news/default.cfm?nav_id=2&id=40>, etc.) DIRECTLY to
the 'net.
Too many links, you put me off reading any. The first were over a year
old. OK, so things have problems, it's hardly suprising. One of the
links pointed out that users don;t change the password on routers, so
the attacker could do what they like. This is exactly the problem -
many users don't know how to configure things like hardware firewalls
(or indeed software ones). You're not gonna fix that.
Hence, this is pretty much the definition of "defeating the purpose".
Or, if it will make it any clearer to you, look at it from the other way
around: With any so-called "software firewall", you are in effect running
your general-purpose OS (typically Windows -- eeek!) *and* all of your
application programs *on* your firewall machine, which is directly
antithetical to proper security procedures: Rule #1 is to NEVER enable any
unnecessary processes or services, *especially* on a device which faces the
outside world.
Understood, but a software fiewall is better than nothing. Good enough
for most people. If an attacker gains access to the letter somebody
wrote to their mum, or a school report it's not the end of the world.
Of course I would not recommend running only a software firewall on a
machine that houses all the accounts systems for a bank.
[snip]Obviously there eis some contact with the outside world... but
you HAVE to do that in order to effectively do many of the things a user
wants to do.
Not true, at least not as stated. Your web-server scenario below is an
atypical exception; but even that need not engender the degree of exposure you
presume.
They don't need to open a socket on a given port?
[snip]Unless you are saying that a forwarded port from a
hardware router offers more protection somehow...
Of course -- at least presuming that "hardware router" is properly configured.
I'm not saying that it necessarily provides complete isolation (again, see
your "web server" scenario below); but it's definitely both another step
further removed from "the wild" *and* offers an opportunity to be selective
(think SPI) about what gets forwarded back and forth.
SPI is only the preserve of hardware firewalls?
[snip]I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world.
Which is not the case for the typical user, who does NOT need to run public
servers.
Think P2P, IM file transfers etc.
But even assuming that scenario, those public servers should be on a
separate interface (sometimes called a "DMZ" or "Orange interface"), where
they are both isolated from your "protected" network (sometimes called the
"Green interface"), and where ONLY the traffic necessary for that service is
permitted through.
I thought the idea of a DMZ was to not restrict it?
[snip]If I sit behind a software firewall,
But that's just it: You're NOT "behind" that so-called firewall; you're on
it, in it, in front of it, and all around it -- all at the same time.
Whatever.
[snip]that only allows packets through on those two ports, then what is the
difference between that and forwarding those two ports from a hardware
router?
You're assuming a perfect world.
Of course. And so are you - you seem to think hardware firewalls are
invulnerable. Obviously they are not, and neither is software, and
physical isolation is better. But for the average user, is it
necessary? No.
The problem is not (so much) what happens when everything works as intended.
The larger problem is what happens when UNintended things happen. And in the
"software firewall" model, virtually any breach is by definition a
catastrophic disaster, simply because so much "other stuff" instantly becomes
available to the attacker.
[snip]My machine is exposed to the world, on those 2 ports...
Your machine is exposed to the world, period. The limitation to "on those 2
ports" is only valid in a very limited context.
Such as when the firewall is working? Well the same can be said for a
hardware firewall.
[snip]any
software vulnarabilty in my firewall (be it hardware or software
firewall) could pose a threat. As could any vulnerabilty in Apache or
Jetty.
That is correct. There is no such thing as a perfectly secure computer
system.
But the bigger problem is that, in the "software firewall" model, any
vulnerability in ANY software running on that box can (and will) *also* pose a
threat to the integrity of the firewall itself. In short, the whole thing is
a house of cards.
You can't argue that software firewalls are a problem if they break.
Any firewall is a problem if it breaks.
I'm not saying that hardware firewalls are not better than software
ones. Most of the reasons you've given are "if the software firewall
doesn't work properly..." which is hardly a compelling argument.
Hardware firewalls are not perfect either.
The point is that a software firewall will, under most situations,
provide adequate security with minimal effort for a home user.
Ben