A hardware firewall is practically inpenetratable because the outside world never knows the ip address of computers behind the firewall, were as the first level is penetrated automatically by a none hardware firewall, you have to think about this a little to get what I mean.
Otto, your thoughts are well-reasoned but totally wrong, since you think of a "hardware" firewall as something made of brick with no holes.
All "hardware" firewalls (all of them, no matter how cheap or expensive or anything) run software inside them! All of them. Cisco, Firewall/1, Linksys, Netgear... all of them. It just happens that the code is:
a) embedded in firmware, so no hard drive or moving parts (good)
b) hidden from you, so you cannot know if there are any mistakes in the code (bad)
c) not accessible to you, so you cannot make changes (bad)
Note specifically that some Linksys router/firewalls run on Linux, as does Firewall/1 if I recall correctly. There is *always* code and software, and the hardware firewalls are *not* impenetrable. In fact IIRC nearly every (perhaps every?) major firewall maker of any type has had vulnerabilities discovered and exploited in their devices. No code is perfect, no firewall is perfect.
All machines can be hacked, and if your Linksys is ever hacked/cracked/exploited you'll NEVER KNOW IT. And if there *is* a vulnerability discovered, and publicized, and Linksys (or whomever) chooses not to fix or to delay fixing that hole then there's nothing you can do about it.
Please don't take this to mean that I think those little blue boxes are bad... oh no, not at all. I rather like them, and in fact I have recommended them to a few dozen people. They work and they generally do so pretty well. For some people, in some cases. Linux or other good software firewalls also work and work well, usually for different people in different circumstances. All I mean to do is to thoroughly cast out those demons who whisper impenetrability in your ear.
As for the "first level is penetrated automatically" thing, well... bullshit. Sorry to be so direct, but I challenge you or anyone to setup a hardened Linux firewall with NAT or masquerading and proper controls and "penetrate" the thing in any way. NAT and masquerading are great things. They work well. But they are not the only things, and they are not perfect things. Multiple layers of defense always, multiple tools, and the reasonable understanding of the pros/cons of each approach.
Cheers,
-- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx http://www.simpaticus.com
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
