Quite the opposite (that is to say, a Windows machine running a software firewall is less secure than one that's blocking all inbound ports via a hardware layer), and I'll thank you not to twist my words to mean something other than what I said.
Wrong. Firewalls block data on the
network layer. It's impossible to apply any type of traffic rules on the physical layer because the physical layer contains absolutely no type of addressing information. It is possible to block traffic on the datalink layer, but the data link layer contains only mac address information, which is only usefull if the device you want to blocking is on the same logical network as you.
Now, when you said physical layer, I wasn't sure if you were talking TCP or not, but then you came up with this laugher....
You also miss the point that the Windows firewall has no basis in hardware, it exists solely in the Application protocol layer.
Whoops! Wrong again. The Windows firewall is based upon IPSEC which has control of the TCP stack at the
network and
transport protocal layers. Every firewall, even expensive uber firewalls like the Cisco PIX rest on the network protocal layer.
There are literally hundreds of scripts out there that allow raw intrusions into the /dev/hda1 space itself by ignoring anything above the Network layer. You need something where you can block traffic at the Physical layer and higher.
Huh?? Okay, now I'm not so sure if you even know what you're talking about. I'll have take some guesses as to what you meant.
First of all, if you want to block traffic on the
physical layer,
unplug the RJ45 cable from your PC, or
turn off your router, firewall or switch. It's the only way.
If you were talking about malware that can disable the Windows firewall...Yes - this is definitely possible, in fact, it's easy if the code has admin priveledges, but how does the malware get onto the PC in the first place? If you are running a game tha has an exploit, and a worm comes through the game onto your PC, how does an external 'hardware' firewall going to help you? Answer - it won't, unless it blocks all outbound connections too. That would be rather inconvenient.
If you were saying you know of scripts can get to a remote host without knowing it's IP address and port, and then put data on the targets hard drive...Wow. Who Whoever wrote those are some talented mofos, considering it's technically impossible. I'd sure love to meet them so I could bow down to them at the alter of programing gods.
Maybe you've forgotten about that nice little Sub7-style backdoor in Doom II that iD hardcoded into the game.
Never heard of it as I've never played any of the Dooms, but I did a quick Google. That backdoor, was listening on the same port the game listened on. If you played Doom II, then you would have had to tell your firewall to alllow traffic on that port.
Besides that, can you link me to some other major exploits of online games, and some documented cases of people being explioited by them?
To close, you're whole notion of "hardware firewalls" being so superior to "software firewalls" is bunk. There really is little difference between a "hardware firewall" and a "software firewall". "Hardware firewalls" from cheapy $30 linksys boxes, all the way up to $50,000 Cisco PIX are nothing but computers which sole purpose is networking. They have a processors, a motherboard, a BIOS, network interfaces, permanent storage media, and they run operating systems, which do networking, and sometimes other things. The Windows XP firewall has as much control over the machine's network interface as any Linksys box has control over it's network interface. A hardware firewall is tantamount to a bouncer at your door with a guest list. They definitely have their uses but they aren't anything particularly special. Hardware firewalls biggest advantage is the ability to manage traffic for multiple hosts.
