On Tue, 25 Nov 2008, Kerry Hoath wrote: > We're running Cisco classes next year for the vision impaired, www.cucat.org. > > dmz is a bad idea, anyone who forwards all ports to any box without serious > consideration for network security is asking for trouble, Anyone who puts anything on a two-way connection without serious consideration for network security is asking for trouble. But that is neither here nor there: who's to say that he hasn't considered network security? > similarly to those who run modems in bridge mode and the like. You would seem to be saying, that "If your router isn't providing security, then you have none". I'm sorry, but this is a Ciscoian mind-set if ever I heard one. If the system is secured by reasonably good firewalling software--and iptables and its higher level abstractions such as ferm certainly qualify--there is very little wrong with doing what he is doing. After all, how many routers are running Linux and Iptables these days for this very thing? And many of them Linksys, now owned by Cisco. If iptables is setup correctly, this is no different than running a server on a business class connection--you must still take steps to protect the ports of the server, regardless of whether you have a router. For smaller (T1, etc.) installations, the router is usually ISP administered, and you can not block any ports without special arrangements. Now, the value of DMZing in this arrangement is dubious for the simple fact that it seems unnecessary, but not knowing what kind of router he has, it is hard to say that there are better options available, although there should be. > It appears to me as though you are looking at your problems in terms of > solutions, rather than defining the problem and solving the route causes. On that I will agree with you--I have said that before about his methodology, but we can but point this out, and then try to answer the questions presented or provide better advice; with the only other option being to say "you're doing it wrong, good luck figuring out how". I, for one, do not choose such a hard line approach. I have not always gone about things in the generally accepted way, and some times you really do have a good reason for it, and just need to know how best to do it wrong, because right is not possible. > Why these problems are an issue for the speakup list; i'll never know; > although it seems the list for any blinky linux trouble these days. There are two reasons for that I suppose. One is that most don't know of other options, and many of the more knowledgeable non-specialized types hang out here. This is a commandline related list, and most of these problems relate to things at that level. For me, for example, the only general list I know of, is the blinux-list, which at least used to be hosted by Redhat. There were reasons not to like that list, and many to like this one, including the fact that Kirk does not often complain about off topicness. Perhaps Kirk sees it as a list for users of speakup, as opposed to a list for discussions about the use of speakup. If so, then general questions would seem reasonable. JMHO. Luke
