Re: Firewall needed behind router?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: Sun, 12 Jun 2005 22:21:12 -0500
In the Usenet newsgroup comp.security.firewalls, in article
<s8mdnQdta-KmWzHfRVnemail@example.com>, Charles Newman wrote:
> Well, my setup can do it and do it well. Its just a
>matter of telling the firewall not to let the socks proxy
>use port 80, and ports 1000-5300. I am simply going
>on what I was taught in college. We were taught to
>do it all using software.
by your astronomy instructor if I recall correctly. Any serious business
doesn't use the toy firewalls, because the users can override them. Also
the "personal" firewalls don't scale. I hope that was an overview class
you took, because otherwise I'd recommend filing suit for fraud against
> Well, actually, each computer would be in sets
>of 254 computers for each subnet. Routers, gateway
>programs, and the like only can support 254 computers
0950 Internet Standard Subnetting Procedure. J.C. Mogul, J. Postel.
Aug-01-1985. (Format: TXT=37985 bytes) (Updates RFC0792) (Also
STD0005) (Status: STANDARD)
1122 Requirements for Internet Hosts - Communication Layers. R.
Braden, Ed.. October 1989. (Format: TXT=295992 bytes) (Updated by
RFC1349) (Also STD0003) (Status: STANDARD)
1219 On the assignment of subnet numbers. P.F. Tsuchiya. Apr-01-1991.
(Format: TXT=30609 bytes) (Status: INFORMATIONAL)
1878 Variable Length Subnet Table For IPv4. T. Pummill, B. Manning.
December 1995. (Format: TXT=19414 bytes) (Obsoletes RFC1860) (Status:
Pay particular attention to the last one. Any idea why we might be using
a mask of 255.255.252.0 (/22 or FFFFFC00) which is 1022 hosts on one wire.
>If you have thousands of computers, you must
>have several routers or several nick cards to do it.
The normal use would be routers - we're using Ciscos with up to sixteen
interfaces per. You could use a PC with multiple NICs, but they tend to
run out of bandwidth pretty quick - even if you put multiple interface
NICs like the DLink DFE-570TX or DFE-580TX (four NICs on a single PCI
card) or the many different dual NICs. Again, you don't use toy setups
for serious business.
>Sure, there class A, B, anc C subnets. Class C,
>the most common, supports up to 254 machines
>(addresses 0 and 1 are reserved).
Class A, B, C, D, and E went out of fashion in 1993. See
1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and
Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan. September
1993. (Format: TXT=59998 bytes) (Obsoletes RFC1338) (Status: PROPOSED
When a Regional Internet Registry like AFRINIC, APNIC, ARIN, LACNIC or RIPE
(or a national registry within your country of registration, or even a
major provider like BBN, AT&T, Level3, or MCI) assigns you a block of
addresses, you can subnet it as you see fit, subject to the recommendations
on RFC1219. Our primary block was assigned to us in 1986, and it was divided
into /22s based on the expected number of computers in a department.
And if you read RFC1878, you'll discover and you made another error about
'addresses 0 and 1 are reserved'.