On Wed, Jun 23, 2004 at 08:27:40AM -0500, Otto Haliburton wrote: > I'm not sure what you mean, but you can't get a better firewall than not > projecting the ip of the internal computer to the outside world. Remember > 'nat' there is no better or in depth firewalling. NAT will only protect you from inbound new connections. It does absolutely nothing if you have a rampant application on your Windows box that opens a port to the outside world. Similarly, you can rely on tcpwrappers to control most inbound connections but outbound is still a free-for-all unless you add iptables to the mix. For the best security, a well designed and implemented iptables configuration will be better than a hardware firewall. However, for those looking for "good enough" solutions that solve the most common attacks, a hardware firewall like a Linksys router/firewall box does the job fairly well. Personally, I use a Linksys router/firewall with some predetermined ports forwarded to my Linux system (none to my Windows systems) and add tcpwrappers to restrict which hosts are actually allowed to use that service. For example, ssh makes it through the firewall but tcpwrappers restricts the incoming connections to my office subnet. Another important thing to note is the maintainability of the firewall. If my Linksys ever dies, I can throw in another one in no time flat with a fast trip to a local store. If you use a Linux system and have a hardware failure, you're in for a lot more work. -- Ed Wilts, RHCE Mounds View, MN, USA mailto:ewilts@xxxxxxxxxx Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
