Re: 2000 server solution

From: Wolfgang Kueter (wolfgang_at_shconnect.de)
Date: 10/22/03 

Date: Wed, 22 Oct 2003 01:22:12 +0200

Leythos wrote:

> While I would like to have talked about Linux, the chap that started the
> thread did so for his W2K box.

Doesn't matter. The stack of the windoze box behaves just like Linux stack.
A closed port remains a closed port, a tcp-rst remains a tcp-rst and an
icmp port-unreachable remains remains a icmp port-unreachable no matter
whether a Linux stack or a windoze sends it.

> I never had any delusions that Proxy applications on the firewall were
> inspecting the packets at layer 2, I understand that they are actually
> assembling the packets and reassembling them in order to remove the
> attachments. Do you really think that the poster understands the Stack
> or the implications of the various inspection methods?

Of course not, the OP was clueless but maybe this discussion has given him
some ideas. It might be a starting point for him, what he has to learn.
 
> The level of detail that you and I could go into is way beyond what the
> poster was asking for (imho), so it was not provided.

Might be the case, but if those who understand the details never mention
them, the stealth-firewall-voodoo-soup gets thicker and thicker and in the
end everybody is so confused, that the only thing that is left is sending
prayers and money to Redmont.
 
> If he is running a W2K box he needs at least a NAT Router device, no
> amount of playing with the OS/Apps will protect him if he doesn't
> understand them.

But why not teach him? Of course the quick solution is to put a NAT box in
front of the machine, the other way is harder, no doubt.

> Since he doesn't understand, it's just as well that he
> gets NAT device or a real firewall to protect the server from the public
> and from himself.

I prefer locking the doors of the house to putting a fence around it ;-)

best wishes
Wolfgang

Loading