Talk:Firewall (computing)/Archive 1

This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

Archive 1

It feels much more like a HOWTO page rather than an encyclopeda article

Could someone write a comparison of packet filters? (ipchains, pf, IPFilter, ipfw, Netfilter/iptables) ~~helix84 01:25, 15 November 2005 (UTC)

Can someone include the origin of "firewall"? I'm curious to know how the term came about.

Unless there are objections, I'd like to remove the lengthy lists and wikify comment boxes, or at least place them in the sections. Regardless, the article still needs work. Luis F. Gonzalez 17:50, 17 November 2006 (UTC)

I agree, it's no use having a list of 'all' software/hardware firewalls. Maybe the most common ones (or any, it are just examples...) could be kept in the lists (let's say two or three per category).

--as long as there's no loss of information. Note that this is the opposite of the discussion link at the top of the article about merging in the "network layer firewall" article though it's already linked to. Linking to extra information is, I think, one of the convenient things about Wikipedia versus an offline encyclopedia, so I don't think Wikipedia should necessarily imitate it's offline counterpart.

• Take a look at what links to Firewall, and you will see that 99% of times, they mean Firewall (networking). I propose to move the current contents of "Firewall" to Firewall (disambiguation), and redirect the page "Firewall"" to "Firewall (networking)". Agree? — Isilanes 16:29, 18 January 2007 (UTC)

The information on the page is neither accurate nor useful. I suggest that this page be removed and re-done by a more experienced person who does work in this particular field. It would be unwise to allow such inaccurate information to ruin the reputation of Wikipedia.

Also, other more reliable sites have sometimes contradicted information on this site. This site states none of its sources, so it might have been made up or written from observations, not factual evidence. —The preceding unsigned comment was added by 58.179.138.69 (talk) 10:29, 22 February 2007 (UTC).

I put a link to this comparison of free firewalls in the external links section, and it was removed about a day later. I think it's a good comparison, and while it does use wordpress, it's not a blog. The same articles could be put on a stand-alone site. This is the last I'll have to do with this, and I don't plan to argue for it after this post; if anyone else would like to add the link, that would be great.--Theymos 08:00, 9 March 2007 (UTC)

Looks like a pretty clueless reviewer to me, I would prefer not endorsing this link. -- intgr 08:49, 9 March 2007 (UTC)

Either on a blog site or personal page, there is no evidence of its reliability. It appears to be self-published original research with no sources cited. I prefer not to link to sites that have lower standards than WIkipedia. ✤ JonHarder ^talk 01:41, 10 March 2007 (UTC)

I often refer to the Talisker Security Wizardry Portal when looking up the current state of network security products. It was created by Andy Talisker, I think in 1999, and has been kept fairly up-to-date ever since. It doesn't review the products, but it gives descriptions. It may be a good reseource to add to the Links section of the page. --70.51.57.5 00:15, 17 April 2007 (UTC)

What about adding a list of vendors with some information (Operating system, platform, etc.)? --212.202.20.73 (talk) 14:01, 22 November 2007 (UTC)

What means the sentence: "A firewall is also called a Border Protection Device (BPD), especially in NATO contexts, or packet filter in BSD contexts."? Especially what means NATO contexts in this case? Why the Link to the North Atlantic Treaty Organisation?

I wondered about that as well. I suspect someone wanted to spice up the term "firewall" by using military vocabulary. For example, DMZ (de-militarized zone) is borrowed from military speak. I believe BPD is just a borrowed term as well. The NATO has nothing to do with the Internet and a BPD in real-life is just a fence or similar. "packet filter" seems to be BSD terminology and describes a simpler kind of firewall without bells and whistles. --82.141.57.90 04:31, 23 June 2006 (UTC)

I do not think that the mention of firewalls being called "BPDs" is relevant, seeing as how a Google search for "Border Protection Device" brings up this page first, and almost everything after that is completely unrelated. Could someone please cite a reference instead of just entering information into Wikipedia without showing relevance? --- Randilyn 07:27, 23 December 2006 (UTC)

If that's the consensus (and since I agree) I'll remove it while I'm hacking a bit at the article. - Paul 16:04, 30 March 2007 (UTC)

DMZ is actually a correct - but not necessarily appropriate - reference to firewall terminology. It is mainly used on routers which have a built in firewall. A De-Militarized Zone is an IP address on the network which has ports left open for direct access to the internet. This is used in the cases where the firewall configuration interferes with other programs which have a 'legitimate' reason to use the resources, such as FTP servers, certain games, HTTP servers etc. Leon Xavier (talk) 08:11, 30 March 2008 (UTC)

Could someone break down the OS platforms for each firewall implementation? It's not very useful to the casual reader not knowing which firewall goes with which OS. (ie: Linux, Windows, Mac... etc) —Preceding unsigned comment added by 72.38.140.225 (talk • contribs) 08:34, September 19, 2006

To my knowledge, most firewall programs are compatible with all major/new OS', maximum compatibility means more users purchasing/using the product, which in turn would bring in more revenue to the company in question. A few firewalls are only made for Windows OS, and I would assume that a few are only made for Mac OS. Not too sure about firewalls for Linux. New versions of firewalls are also Vista compatible, but you would need to check this in more detail before you installed it. Leon Xavier (talk) 08:21, 30 March 2008 (UTC)

This is just wrong, But whats the right answer "Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s to separate networks from one another [1]. The view of the Internet as a relatively small community of compatible users who valued openness for sharing and collaboration was ended by a number of major internet security breaches, which occurred in the late 1980s.[1]" internet not 'create" (form earlier networks) till 1991. Why does every one won't to back date the creation of the internet?Oxinabox (talk) 11:41, 16 April 2008 (UTC). Revised --Oxinabox (talk) 06:51, 21 April 2008 (UTC)

(Fom my Talk Page)

I removed this comment of yours [1], because it talks about the article subject instead of helping to improve the article, per WP:TALK and WP:NOT#CHAT. If you think that the wording is incorrect then please make a constructive comment like suggesting an alternative wording. --Enric Naval (talk) 02:35, 18 April 2008 (UTC)

I'm not Suggsting that the Wording was wrong, I'm Saying that the Factual basis of the paragraph in question is wrong. however i did not make the change the the paragraph my self because it would have meant deleting large sections of the artical and i lack the knowledge (i just know that the internet didn't come in to place till 1991) and time to rewrite it.

The paragraph is just plain wrong--Oxinabox (talk) 06:51, 21 April 2008 (UTC)

The internet dates back well before the 1980s. I think you're thinking of the World Wide Web. DaniMagoo (talk) 19:41, 23 April 2008 (UTC)

Yeah, the internet is older than this funny thing called "the web". This was way back on time when people emailed each other directly to each other computers because routers on the universities trusted all traffic and were wide open to routing any packet directed to any port to any IP. Firewalls appeared when people started to abuse this openness. --Enric Naval (talk) 20:36, 23 April 2008 (UTC)

The first popular web browser was Mosaic, released on 1993 with the intention of helping people to navigate documents that were already avaliable on the internet, see List_of_web_browsers. It provided a graphical interface to a system that people were using already with text interfaces like Gopher since 1991 or BBS from the late 1970s to the mid 1990s, using Telnet, which predates the actual web by a good bunch of years. The Internet_protocol_suite article cites the late 60s for the first incarnation of internet, called ARPANET --Enric Naval (talk) 20:46, 23 April 2008 (UTC)

You are are right, i am wrong. My bad, I was thinking of the first "Web Browser". *Slap Idiot* (slaps himself). Thus i am glad i ask here on the talkpage first. OMG I don't belive i confused the internet with the web. -Oxinabox (talk) 02:35, 30 April 2008 (UTC)

I expected to find more about different firewall architectures here, but I didn't. More information about this can be found on this site. It's also great resource for anyone who would like to work on this article.--Bernard François 20:05, 19 January 2007 (UTC)

There are way too many "generations" in this article - a graphical interface does not a new generation make. IMHO. Of course ;-) I propose to trim the subsequent generations somewhat (and am renaming the section to "subsequent developments", in preparation). - Paul 16:35, 30 March 2007 (UTC)

I trimmed some bits:

A second generation of proxy firewalls was based on Kernel Proxy technology. This design is constantly evolving but its basic features and codes are currently in widespread use in both commercial and domestic computer systems.

If anyone knows what that means (beyond "there is another buzzword-compliant generation that keeps changing but is being used"), and if it is relevant to firewalls, and if you can explain it in English, please feel free to explain and insert. - Paul (talk) 06:24, 25 November 2007 (UTC)

I would be interested to know what possible relevance War Games has, apart from the fact that is a film that contains breaking into US military computers, but that isn't exactly an uncommon subject for films, and if the writer of this article wants to demostrate the knowledge of firewalls in popular culture, surely there must be a load of better examples than ones like this, which seems to include a load of other terms that don't really relate to firewalls, and specific to the film in question (the "Back Door" is the way the kid gets in, it is a single password, "Joshua" that bypasses absolutely everything in the entire US military defence firewalls, and what have tapeworms to do with anything at all.) It seems to me that this is just a bit of a film the writer likes that he thought he'd put in for the hell of it. Does this really need to be here, it just look really unprofessional to me. —Preceding unsigned comment added by The Athlon Duster (talk • contribs) 10:15, 17 May 2008 (UTC)

The film WarGames was the first film that had a plot where a student did that (and I think it's the first one ever where a civilian hacks a governtment computer remotely using infrastructure available at every home), and it inspirated a lot of people to start hacking. Please read stuff about the history of hacking like like this posting on a hacking warez website, aka wannabe-hacker website "-The 80's Hacker- During the 1980's the hacker population probably went up 1000-fold. Why? For several reasons (...) The second, and probably biggest reason was the movie WarGames. WarGames displayed hacking as a glamourous profession. It made hacking sound easy. I once heard that the estimate of hackers in the US increased by 600% after WarGames. Modem users also increased, but only by a mere 1200%. This made hacking easy, though, because it was also estimated that one third of "WarGames Generation Hackers" had the password 'Joshua'. If you have seen the movie, you know that that name had some significance. Many hackers didn't like WarGames, though. They thought it made hacking sound like a pansy thing to do. To non-hackers, though, WarGames was great. The third reason is because of the mass publicity surround WarGames and hacking. If we had a controlled media, probably the only hackers in the USA would be spies and corporate computer techs. The media increased the hacker population by a lot, also." --Enric Naval (talk) 22:09, 18 May 2008 (UTC)

The Reconnaissance page has been limited to physical/military reconnaissance and includes a link to Vulnerability Scanning (http://en.wikipedia.org/wiki/Vulnerability_scanner). How do I redirect the link to Network Reconnaissance to the Vulnerability Scanning page and include that nice note saying "you have been redirected"?

Ocker3 (talk) 04:20, 17 June 2008 (UTC)

You really don't need to do that. I just changed the link to go directly to the vulnerability scanning page. Check the diffs and see if that makes sense, follow up with me if it doesn't. Jclemens (talk) 04:38, 17 June 2008 (UTC)

For some obscure reason somewhere the edits reverted that to point to the military reconnaissance page again, I've put it back to Vulnerability Scanning. —Preceding unsigned comment added by 78.148.172.119 (talk) 17:05, 11 July 2008 (UTC)

Jclemen's edit was not reverted. He changed a different link on the page [2]. I guess that he just didn't notice the link on the "See also" section and that's why he didn't change it. --Enric Naval (talk) 19:01, 11 July 2008 (UTC)

Firewall resides on the outer boundary (perimeter) of a network providing security. Network boundary connects one network to another. VPN owns its own perimeter firewall. Firewall parameter blocks viruses and infected email messages prior intrusion. it able to logs passing traffic and protects the entire network. Parameter 'subnet' minimizes the damage incurred from an attack.

I propose this section to be removed from firewall types or a major rewrite be done, because

1. it has such a bad grammar you can hardly understand anything
2. it is fully OR
3. it has been written exclusively by the following anonymous author: User_talk:211.25.51.203 on 04:13, 27 November 2008

The author is reputed to produce slightly flawed grammar, but I can see no malicious intent. bkil (talk) 20:55, 6 January 2009 (UTC)

I take that back, it's a university's address! bkil (talk) 20:59, 6 January 2009 (UTC)

I removed it. It's essentially redundant anyway. Dman727 (talk) 22:11, 6 January 2009 (UTC)

Thanks. bkil (talk) 23:16, 6 January 2009 (UTC)

Currently, the entry defines firewall this way -->

A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.

It used to be defined this way -->

A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust.

I would like to improve the current definition to something like this -->

A firewall is a device or set of devices configured to permit, deny, encrypt, or proxy all computer traffic between different security domains based upon a set of rules or other criteria. --Purpleslog (talk) 17:26, 2 April 2008 (UTC)

Here are different defs brought together:

http://purpleslog.wordpress.com/2007/09/22/defining-firewalls/

--Purpleslog (talk) 18:39, 2 April 2008 (UTC)

Perhaps this is more cleanup than definition, but the defining line near the top that reads "A system designed to prevent unauthorized access to or from a private network." seems to be a fragment. I think proper grammar usage should be encouraged as it may help improve the reputation of Wikipedia. And in my opinion, information in the first two paragraphs seems to overlap heavily. -Asia1281- (talk) 17:16, 19 March 2009 (UTC)

Under the section "Subsequent developments": "Many firewalls provide such features by binding user identities to IP or MAC addresses, which is very approximate and can be easily turned around."

What does "turned around" mean here? Exploited? Can this be reworded? fogus (talk) 19:18, 27 April 2009 (UTC)

I know it has become increasingly common when one is referring to "firewall", it means firewall in computer, especially in a computer-related conversation or people w/ IT background. However, since the name of computer firewall is a metaphor from the real firewall, and those real firewalls are still widely used in modern architecture, I think we have to honour the original subject and return the title "Firewall" to "Firewall (construction)". At the same time, I suggest we should rename this article's title to Firewall (computer).

If I assume correctly, it is customary in wikipedia to give the original, non bracketed title of the subject to the "real" thing. For example:

• Adobe's page talks about the real adobe that has been used for thousand of years, not the company;
• Mouse's page talks about the real mouse, not the pointing device u r holding at the moment;
• Architecture's page talks about the architecture in real world, not computer architecture.
• Oracle's page talks about the real oracle, not the company.

etc...

I believe the above principles are valid for this article too. So I am suggesting a name change, if anyone have reason to believe firewall should be an exception, please let me know. Da Vynci (talk) 21:11, 9 February 2010 (UTC)

• Since there has been a while and there is no objection heard, I think going to do the name change soon. Da Vynci (talk) 00:15, 12 February 2010 (UTC)

• It is my view that neither the computer network device, nor the construction element is sufficiently more common to be the "primary topic". Therefore i would strongly advise moving the disambiguation page, now at Firewall (disambiguation) to Firewall, and leaving the two largest topics at Firewall (construction) and Firewall (computer). DES ^(talk) 02:01, 12 February 2010 (UTC)

  See WP:DAB#Is there a primary topic? for more on this. DES ^(talk) 02:29, 12 February 2010 (UTC)

• I am in agreement. The page statistics indicate there is substantially more interested in the networking article than the construction article, even considering that the networking article was the first point of reference (the stats indicate a clickthrough of less than 10% (assuming others found it through other links and direct hits and the dab page), which seems awfully low for people looking for information on that topic). Shadowjams (talk) 02:21, 12 February 2010 (UTC)

Hi everyone, yeah, I realised the move wasn't carried out ideally. Somehow the "move" button didn't appear on the Firewall page when I did the move (strangely, it appeared in the Firewall (construction) page). So, if anyone need to fix the technical side of the move, by all means please do. As for the move itself, I am more inclined to give the title Firewall to the actual firewall for the rationale listed above, but I am fine w/ the disambiguation solution that Desiegel suggested. Da Vynci (talk) 03:33, 12 February 2010 (UTC)

Do we have agreement then? DES ^(talk) 03:15, 12 February 2010 (UTC)

I believe so. Shadowjams (talk) 03:24, 12 February 2010 (UTC)

"# Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking." UDP is a connectionless protocol and thus this doesn't make sense. Andy Buchanan (talk) 17:16, 14 December 2009 (UTC)

That's true, but still stateful firewalls use a connection-like concept for UDP packets, much like they do for TCP connections. Here's roughly how it works:

• Once a UDP packet has been passed based on the firewall rules, the firewall creates an entry in its state-table.
• Subsequent UDP packets are checked against the state-table first, and when source and destination match (i.e. IP-addresses and port numbers on both ends of the "connection" remain the same) the packet is passed without further checking it against the firewall rules.
• The entry in the state-table is removed when it times out, typically in a few minutes.

Only the last step differs from TCP (TCP-entries in the state-table typically have a time-out of hours, the closing of TCP-connections is normally detected by inspecting the IP-headers), and I guess that's why "UDP-connection" creeped into firewall-speak. Like you stated, that is confusing and inaccurate.

Despite that the concept works fine. In the context of stateful firewalls, the word connection means nothing else than that an entry exists in the firewall's state-table. Jaho (talk) 18:19, 6 July 2010 (UTC)

Or if you prefer a less technical answer: many words have more than one meaning. The word connection has a different meaning in the context of firewalls, than in the context of TCP endpoints. In the context of firewalls it merely means that data has been exchanged in the last few minutes. Jaho (talk) 19:22, 6 July 2010 (UTC)

The following text was in the lede, and has several problems. First, it's way too much detail for the location. Second, it rambles and doesn't stick to the purported topic, i.e. Firewall Techniques. Third, it's just plain confusing, especially concerning Proxy Servers which, for example, may or may not intercept all messages entering and leaving the network.

I'm willing to help rework/rewrite the article but right now I have to get some sleep. Any comments, anyone?

Firewalls use several techniques to perform their functions:

1. Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

— UncleBubba ^{( T @ C )} 06:49, 4 March 2011 (UTC)

Currently the body of the article states

Firewalls can be implemented in either hardware or software

Has a firewall implemented in hardware ever existed ? I don't mean a firewall in a dedicated piece of hardware, but a real firewall implementation in hardware. Every firewall implementation I've seen has been done in software. I'm guessing a hardware firewall could be done, but would be need to be completely reworked to change its rules. Adsbenham (talk) 16:28, 17 October 2010 (UTC)

To the best of my knowledge, there are very few "hardware" firewalls, at least as you define the term.

More often, though, the term hardware firewall is used to refer to dedicated hardware appliances (running specialized firmware) such as those made by Checkpoint (formerly Nokia), Cisco, Juniper, and others, while software firewalls indicate programs running within an otherwise non-firewall computer or computing system, like the Windows Firewall, the Unix/Linux IPTABLES or IPCHAINS (or other) daemons or any of countless other filtering programs. — UncleBubba ^{( T @ C )} 07:02, 4 March 2011 (UTC)

Is it just me (probably...) or is there something missing in this section? It has a paragraph about physical and literal firewalls, then para 2 goes on about the Morris worm and the machines of the day without any explanation of what's going on. There's a - at the start of para 2 that suggests to me something's gone for a holiday. I just popped in to find out how firewalls do it, BTW. Still don't know.... Peridon (talk) 19:22, 5 April 2011 (UTC)

No, it's not you. The article has pretty much been sliced and diced into pieces and now it could really use a rewrite. I'm thinking if I can get some time... — UncleBubba ^{( T @ C )} 22:40, 5 April 2011 (UTC)

Quote "Administrators often set up such scenarios in an effort (of debatable effectiveness) to disguise the internal address or network." - That sounds somewhat far-fetched. I wonder whether the author of that sentence has read RFC 1918 at all. Furthermore, it's not a bad idea at all to have internal and external addresses. Otherwise, it'll be much more difficult to configure proper rules and policies. However, this has nothing to do with hiding or disguising the external routable IP addresses. Last but not least, the point of RFC 1918 is that the machines behind the router(s) might have no public IP addresses. Thus, this sentence should either be removed or explained in detail. --195.62.99.203 21:15, 13 Jun 2005 (UTC)

Agree, in fact a NAT device is generally the best network device a non-technical home networking user can deploy to protect their computers from hacking. If no objections posted, will remove the phrase Xaosflux 04:58, 11 November 2005 (UTC)

Nonsense. NAT does not prevent hacking at all especially not for "non-technical" users which will happily download and execute random files from the internet. Let me cite the motivation of RFC 1918 "The Internet has grown beyond anyone's expectations. Sustained exponential growth continues to introduce new challenges. One challenge is a concern within the community that globally unique address space will be exhausted." Everything else is just a welcome or often rather unwelcome side-effect. --82.141.58.141 02:21, 24 June 2006 (UTC)

It's quite possible for a side-effect of the original technique to be a reason for employing the technique in another situation (such as a home network). - Paul 17:52, 19 April 2007 (UTC)

NAT does not provide any of a firewall's security benefits. Most malware these days is acquired by actively downloading it, which means using an outbound TCP connection. Also, I can't see why NAT is even mentioned in a Firewall article, since they are two different technologies. For example, see the iptables manpage: administration tool for IPv4 packet filtering and NAT. It is, correctly, not called just a "firewall administration tool", because it manages both packet filtering (firewalling) and NAT. Last but not least, the apparent "protection" from NAT is a feature of routing, not firewalling. 89.72.102.103 (talk) 16:13, 7 August 2011 (UTC)

I believe the initial definition of firewall provided in this article is a bit ambiguous and lacking in detail. Likewise, I'd like to point out that there are very little sources cited. There are even entire sections within this article that go into explaining a specific topic, without citing a single reference. — Preceding unsigned comment added by CGuerrero-NJITWILL (talk • contribs) 18:58, 7 April 2012 (UTC)

In "A network's firewall builds a brigade between...," "brigade" makes no sense. Possibly they meant "bridge?" WikiAlto (talk) 23:22, 11 May 2012 (UTC)

I agree. "Bridge" makes sense. However "builds a bridge" is not quite right. I suggest "acts as a bridge" because the firewall does not construct the connection - it is the connection. SimonWiseman (talk) 20:24, 18 May 2012 (UTC)

Will using "bridge" ("acts as a bridge") generate any confusion with the terms/concepts "network bridge" or "protocol bridge"? I don't know the answer to this. If not; then "acts as a bridge" sounds good to me. WikiAlto (talk) 03:20, 20 May 2012 (UTC)

It's now been changed to "firewall builds a bridge between", but I agree this is not very clear and the use of "bridge" is inviting confusion with "network bridge". Maybe it should just state it in plain English - "A firewall connects an internal network....". SimonWiseman (talk) 19:31, 5 June 2012 (UTC)

In this page's other wiki links part, there is only one link which is to the malayalam wiki. But When I check it on tr wiki for example, Güvenlik_duvarı, I can see all the other wiki links on the same article including this page in English wiki. So There is clearly a problem with wikidata.org linking all this pages across wikipedias. When I check the wikidata page for the links, I also can see the english link there listed. So what's going on with en wiki ? Problem seems to be solved. Guyver (talk) 09:47, 31 July 2015 (UTC)

The page introduction currently states that Firewall appliances may also offer other functionality to the internal network they protect, such as acting as a DHCP[3][4] or VPN[5][6][7][8] server for that network..

This seems to be patently incorrect, since firewalls, DHCP servers, and VPN servers are all distinct services (the fact that specific products may package them up together should be irrelevant to this article). Indeed, citations 5, 6, 7 & 8 all concur - treating VPNs and firewalls as entirely distinct functions. I suggest that this sentence be removed. --Liam McM 21:25, 19 December 2017 (UTC)

Hello

The sentence you have quoted explicitly says "Firewall appliances" not "Firewall", meaning that it is not talking about a service, distinct or otherwise.

A server computer can run firewall, DHCP and VPN services at the same time. In fact, Windows Server Essentials and the now-discontinued ISA Server do that.

Best regards,
Codename Lisa (talk) 04:53, 20 December 2017 (UTC)

Codename Lisa is right but this was unnecessary detail in the lead. I have moved it to the body. Some of those citations may be unnecessary. ~Kvng (talk) 15:52, 22 December 2017 (UTC)

Hello, Kvng. That's actually a good idea. Thanks. Best regards, Codename Lisa (talk) 16:44, 22 December 2017 (UTC)

Good call for both of you, thanks for helping. --Liam McM 21:13, 23 December 2017 (UTC)

So Jeffrey Mogul wrote a paper on packet filters which are used to demultiplex packets in the kernel and send them to subscribed userspace processes. He then wrote another paper a year later that talks about access control on datagrams which uses some packet-filter technology but explicitly doesn't call it a packet filter whatsoever.

Packet filters are for filter/delivering packets to user space, not for access control. I think you can state "firewalls are erroneously called packet filters" but they simply aren't firewalls and Jeffrey Mogul who coined the term never really used it in the discussion of access control on datagrams or firewalls except to say that it shared some technology features. — Preceding unsigned comment added by 101.175.11.227 (talk) 15:31, 12 June 2019 (UTC)

i thought i would bring this up here before considering what might be best for the "Proxies" and "Network Address Translation" sections.

1. they do not have any sources 2. the statements are either inaccurate or misleading.

a. there are many types of NAT (Dynamic NAT/NAT overload/Masquerade, Source Nat, Destination NAT, Full NAT), but generally you would only see the first two listed doing a lan to wan conversion. Also, there is no requirement to have RFC 1918 space with a LAN, and there is also no requirement to implement NAT for public internet communications.

b. the proxy server explanation is all over the place. the functions of a proxy, whether standard or transparent can overlap with a firewall, but they are not doing stateful, ip, or port based connection filtering. A transparent proxy can abuse control packet like a TCP RESET or a ICMP DST UNREACHABLE (for UDP), to force a connection to stop, but that would more than likely be a security based proxy within a NGFW itself. a standard proxy, if use for security would generally be a web filter and it is not using anything in packet headers to block inherently (it can be by IP[worthless], Active Directory User, etc.), and is more worried about what the url in the http header is.

with all that said, i feel that they should just be removed as it would take some awkward and [potentially] difficult work to convert them into accurate information not counting the fact that they arent even specifically relevant to a firewall anyways. Stayfree76 (talk) 02:45, 17 August 2020 (UTC)

I ended up reworking a good majority of the wiki. alot of information was too technical and irrelevant (two or three paragraphs were talking about exploiting vulnerabilities in firewall types), didnt have a good source, or was borderline incorrect (if not misleading). StayFree76 ^talk 22:56, 25 August 2020 (UTC)

The Article Application_layer_firewall should benefit from all the info given here. or maybe merged completely/made into a redirect. --Deelkar (talk) 22:58, 31 Jan 2005 (UTC)

I agree. Merging a bunch of tightly-related short article to one decent one could make a decent feature. Do we need to propose a vote somehow? I'd merge into this article both Application layer firewall and Network layer firewall. I'd even consider adding Personal firewall (without the vendor list), Demilitarized zone (computing), the proposed XML Firewall, and anything useful from Bastion Host. --ScottDavis 11:19, 26 Feb 2005 (UTC)

To say that a firewall can be located anywhere is not particularly useful. Listing the pros and cons of placing it in certain locations would be more useful eg placing it on the public side of a load balancer versus placing it on the private side? FreeFlow99 (talk) 15:38, 20 November 2021 (UTC)