Gaffer,
I've chose to answer inline..........
On 06/30/2010 16:55, Gaffer wrote:
Hi Duncan,
On Wednesday 30 June 2010 21:23:39 DSinc wrote:
Gaffer (Josh),
My apologies. I somehow forgot that my traffic (queries) go to many
places around our globe. It was not until our 1st exchange that I
realized that you were sharing from a UK TELCO system I do not have.
Once I figured this out (too late!), I did fail to step back in and
toss some water on an increasing "camp fire." Sorry.
Not to worry. I'm equally guilty ! I just didn't realise you were
talking about two items of equipment until Josh pointed it out.
No harm, no foul!
Yes, here in the USA, all xdsl is done via a TELCO supplied MODEM.
AND, it is always (in my experience!) pre-loaded w/firmware to BE my
Gateway/Router (Firewall/DNS/DHCP/WINS/XYZ?). Like One MODEM=One PC
attached to the TELCO line. Legally (?) USA TELCOS have spent much
energy trying to preserve this corporate TOS policy.
Yes I can see the financial advantage to the teleco by doing that.
Generally there is no objection to running several machines behind the
router, over here. About the only time you might get a warning is if
you are constantly running big data transfers. That comes under "fair
use" rules.
Believe that over here it has to do with folks doing massive P2P
transfers (I do not), and/or running some number of active 24/7 servers
behind their Routers. This I do no eschew. I have no dog in this hunt.
"You" sell me this service. Fine. I will USE it........
Since joining the LIST, I have learned that I can re-admin these
MODEMS and make them essentially DUMB DEMOD devices. Essentially,
transfer the above 'services' to a device I buy and choose to use for
my home/private LAN.
Yes ! You are quite right ! That is how they should be. I do see
another advantage in having a separate device to the router. It would
be a lot cheaper to replace if it got damaged.
Yes, I've exchanged several MODEMS over the years........due to
activities of Mother Nature! She always rulez!
If my TELCO suspects that I MIGHT have more that ONE PC attached to
THEIR MODEM, they can query, and/or, deny me service. I accept this;
as I have since 1996. Shortly I will leave xDSL. This whole topic
will then become academic.
Its not easy for the telco to monitor every user for multiple machines,
but they will monitor traffic and try to charge an additional fee for
it.
Perhaps not in the UK. Here, the TELCOS are very good at telling me each
and every device I have connected to their bloody TELCO line.
When the TELCO has monopoly status, it has freedom to invade my LAN and
tell me all manner of traffic it finds questionable. Just the current
field of play ATM.
No harm, no foul! Now that I fully understand your UK perspective,
your points provide some things to think more about.
My primary firewall lives at my Router. I chose my Router for the
on-board SPI. My previous Router did not offer SPI; it was NAT only.
Can you tell me what SPI is ?
My understanding is that SPI is defined as "Stateful Packet Inspection."
I am not capable of explaining this. I have spent some years reading and
trying to understand the logic behind it. I understand just enough of
this feature to decide that NO Router product should live at my IP Addy
that does NOT contain this feature. It is a new feature since I was
schooled in the Internet back in the 1970's.
I'm lead to believe that it is a stronger form of 1st line protection;
prior to my Router's firewall logic; and, in concert with NAT.
No, I do not fully comprehend the science or logic. Yes, I do see and
accept that it seems to work! (via WireShark!)
Others may have other views/opinions. In this sphere, I am NOT an
expert. I just use/buy the feature. I replaced my older Router (Netgear
RT314) just to have this SPI feature.
Yes. I do use the internal client WinXP firewalls also.
I thought I had a strong set of Router Inbound Rules set/allowed.
Perhaps not. I will look deeper into this. (though, I admit, it does
often put me to sleep!!)
Basically a firewall (part of the router) should deny all incoming
traffic but should allow all outgoing traffic.
Basically it works like this, your machine makes a request (you typed
an address into a browser) the firewall knows you made that request
and lets it out. When the reply comes back the firewall knows that it
is in response to your request and lets the reply in.
You have ultimate control over how the firewall handles all the traffic.
Google "IPtables" or "Netfilter", that will give you a very good
insight as to how it all works.
Understand. However, I am not willing to elevate my local "protection"
schemes to any external/internet (Google) source. I am not quite settled
on just how 'clean' the 'internet' is at this time. I watch, I read, I
listen. I study.
Perhaps my Router is no longer up to the task. Stuff happens, because
time marches on.
I have a new Router delivered and under investigation ATM!
Best,
Duncan
I'm often around, except when I'm not...
Understand. This LIST has many members that equally share this mantle.
Again, No harm, no foul......
Best,
Duncan
