On Jun 22, 2004, at 11:48 AM, Otto Haliburton wrote:I would put all my computers behind the linksys router and forget it.
I agree. You've got a purpose-built appliance device instead of a general-use OS with all of it's myriad exploits.
Both of you have made reasonable choices. However, it is a mistake to believe that those are *always* the correct choices, or that they are so for all users.
Example: I have a "purpose-built appliance device" as a firewall. It works as seamlessly and effortlessly as my toaster, never needs any attention, and works like a charm. It's of course an old Dell P/166 with 64MB of RAM and a 2GB hard drive on a UPS. Please note some of the characteristics:
1. It has *very* few packages installed from Fedora Core 1 and only 390MB used on disk. No "myriad exploits" here. If it's not installed, it can't be hacked.
2. It allows *one* thing in from the Big Bad Outside: SSH, with keys and no passwords. All other ports are blocked by iptables.
3. Its few services are specifically configured not to listen to outside ports. Harder to hack.
4. It is intelligent enough to detect a port scan or a probe to certain hostile ports and will unceremoniously black-hole an attacker into -j DROP for 3 days at the very first ping.
5. It routes, masquerades, and firewalls for my network.
6. It serves DHCP, internal DNS, and NTP to my internal network.
7. It cost me $0 since I got a few old computers donated to me.
8. It can use *any* reasonable method for outgoing connections. Dialup, ISDN, Ethernet, cable, wireless, satellite... whatever can be configured in a PC, I can make work.
9. MRTG allows me to check bandwidth used precisely, in any way *I* choose, and monitor it dynamically. Helps when using burstable connections and arguing your bill. Saved me over $750 already by helping me win arguments.
9. I can replace it in 1 hour flat at any time of day or night, any place, by merely running the install again on *any other available computer* and copying over my configuration files from the backup disk.
10. I feel safer and more secure knowing that the code that protects me is (a) publicly and thoroughly scrutinized, (b) actually used in many hardware firewalls <grin>, (c) going to continue being supported and improved over time, and (d) customizable to the N-th degree.
11. The *very same configuration* was used to set up my office building's firewall (with four internal networks and five Ethernet adapters), for the modest cost of $30 (we used an older and very reliable server with lots of PCI slots). Saves us easily $900 PER MONTH.
I'd be happy to go on, but that's enough for now:
Did I have to learn more? Yes. Are there more moving parts, more points of failure, and more power consumption? Yes. Does it take up more space? Yes. Even with 300-to-400 days of uptime on average, will I reboot, update, upgrade, or otherwise maintain it more frequently? Yes. On the other hand...
Do I feel more secure? Hell yes. Does it provide more services? Yes. Does it do *exactly* what I want in each case, adapted to the individual circumstances? Yes. Is it more easily replaceable for me? Yes. Does it cost less? Yes! (Can't beat $0.) So do I prefer building a firewall with Linux? Hell yes!
So why do I teach some people to build a Linux box (or hire me to do so for them), and why do I tell others to buy Netgear or Linksys boxen? Why is it that (in that office firewall) one network is directly connected to this firewall, two are behind *another* Linux box each doing firewall/masquerading/samba/etc for them, and the last is behind a little blue box?
Why indeed? Because THERE IS NO RIGHT ANSWER FOR EVERYONE. Let's help each person find what's best for them.
Cheers,
Just run the hardware firewall and forget about it.
- Mark
And please, for the love of God, whatever you do, *don't* think of security as a "just forget about it" issue.
-- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx http://www.simpaticus.com
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list