Ubuntu 6.06 criticisms from a programmer

NAT firewalls should be required by law to be built into any consumer device that's designed for connecting a computer to the Internet.

Absolutely. Failing that, ISPs should be required by law to have the same firewall functionality (especially the NAT, and blocking *all* incoming traffic unless explicitly allowed) for their customers. It would not even be hard or costly to do - all that's needed is a web interface around the linux iptables command (or the OpenBSD equivalent).

Of the ISPs I've had dealings with over here, most seem to think that a CD with Norton is appropriate security. Some of these don't want you to have a firewall/router - they much prefer that customers have a single Windows PC + Norton connected to their ADSL modem, since that saves training their support droids to handle different situations. Others I've met are encourage the use of a firewall/router (and will sell you one at a reasonable price), while only one actively forces you to use a firewall/router. Unfortunately, this last choice is the most expensive (it's a good choice for businesses, but not for home users).

It's reasonable to connect a *nix machine directly to the net (many hardware firewalls run linux), but even then it should of preference be a dedicated firewall box. Anyone connecting a windows PC to the net, by dial-up or broadband, without using a NAT firewall/router is acting out of ignorance (either their own ignorance, or their ISP's ignorance).

Forced by law? Isn't that a bit extreme and intrusive, do you think that the government can protect an fool from itself? These are the same kind of people that respond to Spam to get them to stop and are bewildered by the increase in Spam, feel free to educate them, but leave government out of it. The only thing government is good at is to force you to pay ever increasing taxes, so they can have more money to waste.

Spinach is good for you, shall we have government force you to have to eat some every day?

--

Cecil
KD5NWA
www.qrpradio.com www.hpsdr.com

"Sacred Cows make the best Hamburger!"	Don Seglio Batuna

In Don Seglio:

[Snip...]

Free speech is good for you--shall we have spammers force you to eat some everyday?

-- Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS * Pardon any bogus email addresses (wookie) in place for spambots. Really, it's (wyrd) at airmail, dotted with net. DO NOT SPAM IT. Kids jumping ship? Looking to hire an old-school type? Email me.

That is kind of unfair. How many people driving cars know where the cylinder rod can be found. Everyone cannot be computer security experts.

Here in the USA the law helps in removing dangerous product from the public, lead in kids toys as an example.

With the failure of the unfair marketing practices case against M$ it would seem to make sense. Put the business on one subnet and firewall the mom/pop/granny/kids on another with firewalls in the ISP routers. We'll just ignore the that small network problem for the ISPs for sake of argument. :)

I will have to say, something is going on. I run Shorewall with a blacklist of noisy ip subnets. About once a month if the counters show no inbound attempts, I remove the rule for that ip. The list is getting smaller not larger.

You can't force people to use sensible behaviour on the internet (well, you could introduce a "drivers license", but that would be a bit much). So you can't force people to use a firewall. But it's not unreasonable to require ISPs to supply a firewall with every broadband connection (as I said, they could easily make a half-decent one on their side of the connection). Remember, every time somebody connects an unprotected windows machine to the net, it costs you and me time and money through increased spam, viruses, worms, attacks bots, and other nasties. And every time an ISP offers a customer a broadband connection without a firewall, they are acting irresponsibly - the average customer does not know anything more than the ISP tells them, and will suffer the consequences. The only thing that stops ISPs giving out firewalls is the cost, which would put them at a disadvantage compared to their competitors. Regulations requiring firewalls to be provided would keep the playing field even.

No, but you have regulations forcing suppliers to inform customers about hidden dangers (like food labels saying "may contain nuts"). At the very least, ISPs should have to inform customers that they are not safe without a hardware firewall.

No, but the law should put people who send you unsolicited fake spinach, or set fake spinach traps, in jail.

And force the IDP of countries that allow sending unsolicited fake spinach or setting fake spinach traps.

--
.sigzip:*

That is also one gripe of mine, eventhough I'm only program as a hobby. It seems that the people behind [(Ku)(Xu)U ]buntu insist in keeping all sorts of basic tools out of the default install and some even out of the damn CD. GCC is one good example but there are also other astonishing examples like ndiswrapper. I mean, if a laptop user whose laptop packs a non-supported wireless card wants an internet connection then he is forced to install ndiswrapper, which he can only install if he connects to ubuntu's repositories over the net.

I don't know if this is a problem exclusive to Ubuntu. I've ran Mandrake

9.2, the first Mandriva, Fedora core 4 and Kubuntu since 5.04 and each and every one of those distributions couldn't ignore my touchpad while typing. Moreover, I still can't manually turn the touchpad off.

There are all sorts of problems with Ubuntu. The problem which keeps nibling on my nuts is the dreaded overheating bug. Ubuntu is plaged by that problem since at least 5.04 and, at least acording to the bug report page, it will not be fixed in this new release. That means that Ubuntu is packing a showstopping bug for 4 releases. Not good.

On a lighter note, you can always try out the new Ubuntu. Version 6.10 is going to be released in a few days. I believe that the beta version is already available. Why don't you give it a try?

Best regards Rui Maciel

--
Running Kubuntu 6.06 with KDE 3.5.5 and proud of it.
jabber:rui_maciel@jabber.org

Nope. NAT firewalls are mundane technology nowadays. If there were a law requiring them in all devices, mass-production would lead to inexpensive chipsets. I would be very surprised if it added more than $10 to the final cost. That's pretty cheap for the amount of protection it provides. I'd pay a whole lot more than that to have a NAT firewall built into my laptop so I didn't have to carry an extra box around.

I worked in R&D for 25 years. IMNSHO, "RTFM!" is usually just a way to blame the user for the designers' own failure to meet the needs of his target audience.

Since you were in R&D, what do you know of real world manufacturing? First of all, anything actually requiring a manual has customers, the proper term for "target audience", and are finally determined by the constraints of costs and marketability. Second, end users are not the only "customers". There is also support/maintenance to consider, though they seldom are. Third, and by no means last, documentation is never written with the customer in mind. That's primarily the realm of legal with an over-the-shoulder peek by marketing and middle management. Any relevance to the actual use of the product is strictly coincidental. There are "manuals" written for support. These are much more relevant. Consequently, it pays for the end user to get his hands on a service manual, if possible.

nb

You use the term "NAT firewall", but in fact, there is no such thing. There are routers that include both NAT and firewall capabilities, but it is important to understand that NAT is not a firewall. So, looking at the 2 components:

firewall: universally a good idea for security assuming that it is properly configured. Stateful firewalls provide excellent security against many threats.

NAT: unfortunately, NAT has some negative side effects. It breaks some end-to-end security, forcing ugly hacks such as NAT-T. It is quite possible that with IPV6, NAT will be much less prevelant.

Also, there are different types of NAT (symmetric, asymmetric). Some break other protocols such as SIP, requiring other ugly hacks such as proxies.

Just to put this in perspective a little, I now run greylisting as a first-line defence against spam. (See wikipedia for details.) It basically separates real mailservers from p0wned Windows machines. Since I turned this on, my (and my clients') spam has reduced by around 99.8%.

This probably means that most spam is down to trojans/worms. I.e. insecure Windows machines connected directly to the interweb.

I'm with David. NAT'ed firewalling should be a legal requirement. Period.

Steve

wtf?

Steve

Huh?

NAT == network address translation. IOW, providing a controlled connection between two networks.

If you can control the connection (e.g. OpenBSD's pf packet filter), what's missing?

Steve

nice summary. ;)

nb

:)

Steve

No. NAT is an evil hack which was invented to preseve IP address space by allowing hosts on a privately addressed unroutable network to speak to the outside world of public routable IP addresses via a single public IP address.

In the most part this has the effect that you can make connection outward bound but not inward bound which is why people confuse it with a firewall (as most firewalls will be setup to prevent inward connections)

Most things sold as "firewalls" for PCs are actually application policy tools or crude intrusion detection systems rather than firewalls.

An understanding of how IP works?

-p

--
"Unix is user friendly, it's just picky about who its friends are."
 - Anonymous
--------------------------------------------------------------------

What the hells a cylinder rod? Ive been fixing cars for 40 years but I aint never heard of a cylinder rod. A cylinder is a hole that the piston sits in. The connecting rod connects the piston to the crank, is that what you mean, the connecting rod?

That just proves his case. If even someone who has been fixing cars for 60 years doesn't know what a "cylinder rod" is, why would you expect the average driver to know anything about it? :o>