RE: Router/Firewall Recommendation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
> bounces@xxxxxxxxxx] On Behalf Of Ed Wilts
> Sent: Wednesday, June 23, 2004 9:12 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Router/Firewall Recommendation
> 
> On Wed, Jun 23, 2004 at 08:27:40AM -0500, Otto Haliburton wrote:
> > I'm not sure what you mean, but you can't get a better firewall than not
> > projecting the ip of the internal computer to the outside world.
> Remember
> > 'nat' there is no better or in depth firewalling.
> 
> NAT will only protect you from inbound new connections.  It does
> absolutely nothing if you have a rampant application on your Windows box
> that opens a port to the outside world.
>
I believe that you can prevent any outgoing port from being opened to the
outside world in the router fyi, in case you haven't prevented that.  Plus
if that occurs I think that the administrator needs to take swift and
decisive action.
 
> Similarly, you can rely on tcpwrappers to control most inbound
> connections but outbound is still a free-for-all unless you add iptables
> to the mix.
> 
> For the best security, a well designed and implemented iptables
> configuration will be better than a hardware firewall.  However, for
> those looking for "good enough" solutions that solve the most common
> attacks, a hardware firewall like a Linksys router/firewall box does the
> job fairly well.
> 
I respectfully disagree with you here.  A hardware firewall is practically
inpenetratable because the outside world never knows the ip address of
computers behind the firewall, were as the first level is penetrated
automatically by a none hardware firewall, you have to think about this a
little to get what I mean.

> Personally, I use a Linksys router/firewall with some predetermined
> ports forwarded to my Linux system (none to my Windows systems) and add
> tcpwrappers to restrict which hosts are actually allowed to use that
> service.  For example, ssh makes it through the firewall but tcpwrappers
> restricts the incoming connections to my office subnet.
> 
if I am interpreting this correctly.  Not all of your computers are behind
the linksys firewall and that is the problem!!!!!

> Another important thing to note is the maintainability of the firewall.
> If my Linksys ever dies, I can throw in another one in no time flat with
> a fast trip to a local store.  If you use a  Linux system and have a
> hardware failure, you're in for a lot more work.
> 
Agreed
> --
> Ed Wilts, RHCE
> Mounds View, MN, USA
> mailto:ewilts@xxxxxxxxxx
> Member #1, Red Hat Community Ambassador Program
> 
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list



-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux