Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #1127

Re: appliance firewall

From Thad Floryan <thad@thadlabs.com>
Newsgroups comp.os.linux.misc
Subject Re: appliance firewall
Date 2011-05-17 02:05 -0700
Organization ThadLABS
Message-ID <4DD23A74.6010800@thadlabs.com> (permalink)
References <iqq4ut$tu4$1@dont-email.me> <4DD0AD5E.4040207@thadlabs.com> <iqsqi8$5ej$1@dont-email.me>

Show all headers | View raw

On 5/16/2011 8:37 PM, Todd wrote:
> On 05/15/2011 09:51 PM, Thad Floryan wrote:
>> On 5/15/2011 8:16 PM, Todd wrote:
>>> [...]
>>>
>> SonicWALL is literally a plug'n'play solution that just works.
> 
> Hi Thad,
> 
> 100's.  Hmmm.  Exactly the information I was looking for.
> Thank you!

You're welcome!  It was someone posting in the ba.internet group
back in the mid-1990s that clued me in to SonicWALL and I've been
installing them for clients until 2008 when I retired.

> [...]
> The frustrating part of all this is that the scan is only of the
> public IP address.  It does not see anything, such as a firewall
> on the other side of the router.  This is really not about
> security.  Its about insurance provider avoiding liability.
> Meaning that I can not put a firewall in between the router and the
> internal network and be guaranteed to always pass their probe test.
> All the customer's facilities use NAT.  The probe doesn't even
> know what the internal IP address are.
> 
> I can put the el-cheapo modem in bridge mode, but the next el-cheapo
> low-bid-router-of-the-week will be back in regular mode and the
> hassles will start all over.  And, who know how long the el-cheapo
> modems will still support bridge mode.  Ever have an ISP tech
> show up at a customer's facility and redo your entire configuration?
> 
> And if this weeks replacement el-cheapo doesn't pass their test,
> they will void their liability.

What EXACTLY is it they're testing?  I have my SonicWALL TZ170 setup
to be in stealth mode -- there is absolutely NO response from the
SonicWALL to anything from the outside.

Another nice aspect of the SonicWALL is no moving parts and no heat
such as would be the case if I cobbled-up a linux-based system using
old hardware.  Plug computers are a possibility, but I'm unaware of
any with multiple NICs -- my SheevaPlugs and GuruPlugs have single
GigE ports:

      <http://thadlabs.com/PIX/SheevaPlug_labelled.jpg>
      <http://thadlabs.com/PIX/SheevaPlug_underside.jpg>
      <http://thadlabs.com/PIX/Sheevaplug_Webmin.jpg>
      <http://thadlabs.com/PIX/SheevaPlug_GuruPlug.jpg>

In case it wasn't obvious, the SonicWALL appliance is also a router.
I presently have a maxed DOCSIS 2.0 cable connection and here's a
simple diagram of my home office setup:

                                 outdoor cable
                               ________|_________
                              [ Motorola SB-5101 ]
                              [____cable modem___]
                                       |
                               ________|_________
                              [  SonicWall TZ170 ]
                              [__Firewall/Router_]
                           LAN |                | DMZ
   The Cisco router is   ______|______    ______|_________
   to get-around a LAN  [Cisco BEFSR41]  [ D-Link DIR-625 ]
   license issue with   [___Router____]  [__(Guest Wifi)__]
   the SonicWall due to   |  |  |  |
   # of devices on LAN    |  |  |  |
                       various switches
                   for computers, printers,
                   LANCAMs, LAN WiFi, other
                   devices (RS-232, USB hub)

FWIW, there's double NATing from my LAN to the outside and it doesn't
seem to affect anything (home banking, Steam games, ssh, sftp, etc.).

Again, I'm really curious what it is they're testing.

Back to comp.os.linux.misc | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

appliance firewall Todd <Todd@invalid.com> - 2011-05-15 20:16 -0700
  Re: appliance firewall Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2011-05-15 20:32 -0700
  Re: appliance firewall Thad Floryan <thad@thadlabs.com> - 2011-05-15 21:51 -0700
    Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-16 20:37 -0700
      Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-16 20:39 -0700
      Re: appliance firewall Thad Floryan <thad@thadlabs.com> - 2011-05-17 02:05 -0700
        Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-17 10:39 -0700
          Re: appliance firewall The Natural Philosopher <tnp@invalid.invalid> - 2011-05-17 19:41 +0100
            Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-17 12:23 -0700
              Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-17 12:24 -0700
              Re: appliance firewall The Natural Philosopher <tnp@invalid.invalid> - 2011-05-18 01:13 +0100
                Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-18 09:32 -0700
                Re: appliance firewall The Natural Philosopher <tnp@invalid.invalid> - 2011-05-18 21:18 +0100
                Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-19 12:13 -0700
  Re: appliance firewall The Natural Philosopher <tnp@invalid.invalid> - 2011-05-16 12:53 +0100
  Re: appliance firewall technomaNge <cowpaddy@bullshit.net> - 2011-05-16 20:34 -0500
    Re: appliance firewall The Natural Philosopher <tnp@invalid.invalid> - 2011-05-17 10:55 +0100
  Re: appliance firewall Mark <i@dontgetlotsofspamanymore.invalid> - 2011-05-17 10:08 +0100
    Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-17 10:53 -0700
      Re: appliance firewall Mark <i@dontgetlotsofspamanymore.invalid> - 2011-05-18 09:17 +0100
        Re: appliance firewall Todd <Todd@invalid.com> - 2011-05-18 09:31 -0700

csiph-web