Just a couple of comments on the flurry of emails, and I hope I keep the
attributions straight.
I think the fundamental Netmeeting issue is in the article Dan quoted:
"only the first port number (1720) is static. After the initial connection, a
dynamically assigned TCP port number is negotiated for some more control data
to be exchanged."
Thus you can't make enough pinholes to allow for the "dynamically assigned"
control connections.
Perhaps this isn't an embedded IP address situation after all. As Glenn has
observed though, leaving a lot of open holes for UDP to slip in through is not
a secure idea, but what I am now confused over is UDP or TCP (as per the quote
above). Either is a bit risky, UDP more so though thanks to some NeFariouS
issues, or so I am led to believe.
What could happen, to be more secure, in a stateful packet filter, that was
aware of the protocols mentioned by Glenn, was that it could note the dynamic
port assignment and allow connection, indeed in a NAT situation map the
connection, back into the requesting network. This is, I believe, how the FTP
file transfer back channel is handled (FTP is full of gotcha's a transfer
*usually* asks the remote site to call back on a dynamic port).
Dan has written, "The Nokia M10 is not a firewall, it's a router. Well, it
might be a firewall but for all we can see, it's just a router."
The distinction between a router and a firewall is moot, firewalling
functionality at a primitive packet filtering level is common on routers, and
the NAT/pinhole combination on the M10 certainly allows you to manage, to a
point, what incoming connections are allowed. There isn't any outbound
control, and I'm not going to say whether there should or shouldn't be, but a
choice might be nice for some.
Therefore I think at the very least we can say that the M10 has some
firewalling functionality.
How much functionality is required before a router becomes a "Firewall" is
open to debate, though I think it's a "Firewall" when it fulfills the user's
firewalling requirements.
Glenn has pointed out that if "accept all" connections were an option on the
M10, (my cunning plan of mapping all ports to all ports was flawed as Dan
suggested, and I feared) then a topology like:
Internet <-> M10 <-> "Firewall" <-> Inside network
Would be fine. What's interesting is that with the Efficient option of an
internal modem you get Dr David's situation:
Internet <-> [Effcient-PC]
Trying to illustrate the Efficient installed in the PC, which incidentally
unless there is some upstream control, completely exposed to the Internet,
"which has no pinhole problems." No, definitely not, but there might be some
other problems with that exposure.
However Telecom is not, as anyone who signed the install agreement will
attest, an organisation likely to leave itself open to "a legal hornets nest,
methinks."
The Efficient internal modem option also makes possible:
Internet <-> [Efficient-"Firewall/{NAT}"] <-> Inside network
NAT is in braces to suggest it is optional, (if you have your own public IP
address you don't need NAT, and you are very lucky or very rich <grin>).
Which is something I'd be keen to give a go too. I fortunately have boxes
lying around, cast-offs, and Linux or *BSD is cheap.
It's interesting the degree to which the fact that the M10 is purely and
simply a simple router has been obscured by the constant reference to it as a
modem... It is a two port router, with an ethernet interface on one side and
an ADSL modem interface on the other... It has been dumbed down, and the
limitation on pinholes, and the many-to-one mapping, are egregious efforts to
limit it's functionality, so as not to compete with pricier models up the
range... It's called marketing, and it's only new to the networking business
at the residential consumer level. Might be thought to mirror some of the
other limitations in the residential broadband arena, which not limited to
ADSL either...
Hamish.
____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Wed Jul 7 23:35:58 1999