Re: Comodo blocking port forwarding

Poutnik wrote:


As for a more practical example: I setup a packet filter to only allow HTTP on port 80 via a proxy, and the proxy does both DNS forwarding and HTTP proxying. In both application protocols I set up a whitelist of allowed domains - now how exactly would you circumvent it?

easily, by human press to cancel such limited funtionality.


Obviously you've never been working as an admin in a company. Indeed, there is some press at the beginning, until they learn how to sit down and shut up. After all, you're supposed to work, and thus only get access to the resources you need for getting the work done.

> This trade off will be always

a weakness by principle, not less serious than principial ability of PFW to be compromised.


Well, I'd say the latter is always more serious, especially since it's typically an implementation problem.

BTW tests shows malware have hard time to get through PFWs.
Serious tests show how blatantly wrong these tests are.

Not proved. Well, most you say about PFW, can be easily applied
to AV solutions. Would you persuade people not to use AV ?


Persuade? The default hypothesis is that you don't use something until you actually need it. A virus scanner can be a useful intrusion detection system, and a god junk filter, but anything bezong is quite furtile.

That is, if they really decide to use a virus scanner, I'd persuade them to not rely on it as a security measure, since (sadly) most of them do. Which also typically means that it's of no value to them any more, and thus they should simply stop using it at all.

The fact there is no 100% secure sw solution of any kind
( and I have never claimed the opposite ) does not mean we should not use it.


Wrong direction. By principle, any additional software increases the system's complexity and therefore reduces its security. Unless this can be justified by the additional protection introduced, it's absolutely wrong to use it. And for PFWs this case always holds.

Would you not trying to cure a disease, just because there is no garance of success ?


And now a wrong analogy between the analogue and the digital world (hint: the latter has an enumerable possibility space, and doesn't know the equivalence of "just use more force"), as well as a wrong analogy between biological diseases and computer security problems (hint: biological bodies are open systems, by design).

Their low level drivers are blocking all connection activity
until PFW application is running.
And what happens before the driver is loaded?

Then there are suspicious data transactions
between other already booted devices within so called secured LAN HW FWs do not care after.
Who would care about FW in age of notebooks,
palms, IR, wifi, bluetooth and all related stuff ? :-D


You shouldn't post while being drunk or stoned. This absolutely doesn't make any sense.
.