Once upon a time, Owen DeLong <owen@delong.com> said:
I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them.
Well, "any applet a user clicks on" should not have permission to talk to random devices on the network (for example, Java applets can't do that), so I don't think it quite as bad as you make it out to be. I also don't really find the "computer is already compromised" case all that interesting, as at that point, all bets are off (since with C&C servers, compromised computers are already accessible to the outside world without UPnP). A firewall protects against unwanted inbound connections to things like file/print sharing, DNS proxies, etc. You also don't get port scans and such (even with a few open ports, the majority being "drop" slows down scanners significantly). You can also configure it to prevent certain outbound connections (e.g. connecting to random mail servers from desktop PCs). I would hope that you can configure firewall rules to override UPnP requests. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.