On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote: > To: CentOS mailing list <centos@xxxxxxxxxx> > From: Ljubomir Ljubojevic <office@xxxxxxxx> > Subject: Re: firewall? > > Rudi Ahlers wrote: >> On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic <office@xxxxxxxx> wrote: >>> Keith Roberts wrote: >>>> So I guess I could configure my single NIC Centos 5.6 >>>> machine connected to a 4 port ADSL router to act as the >>>> external Gateway for other machine on the LAN side of the >>>> router, possibly using NAPT on the Centos box? >>> Yes, you can do that. You can also use it as a proxy server. >>> >>> When I said "firewall", I meant as firewall for the network, facing >>> outside of the local network. There were people who would bring public >>> (or semi-public, from ISP) IP to the switch and then hook up all PC's to >>> that switch and use 2 subnets, one that ISP provided and one for the >>> local LAN, all on the same switch, to save on hardware. That is not safe >>> and not wise. >> >> Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe. >> But if you have propper firewall rules in place to block incoming >> traffic from the public IP going to the private IP then it's very >> safe. >> > You are looking only at the safety of the server, not the whole network. > > In case od ADSL modems *with NAT-ing* you already have firewall in form > as ADSL modem, and you are safe. That's exactly how my Thompson ADSL router works. By defalut it blocks any connections coming in from the outside internet IP address. To open a port I have to login to the router, and create NAPT rule that links an outside port to a machine and port on the LAN side of the router. I did have port 80 NAPT's this way, but now I have removed that rule, as my websites are hosted on a cloud in a proper data center. So what with the router firewall and then the Linux Kernel IPtables packet filtering firewall, I actually have two firewalls running? For checking open/closed ports from the outside, I go to www.grc.com and let their machine do a 'Shields Up' scan of my machine. Kind Regards, Keith Roberts ----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] ----------------------------------------------------------------- _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos