[Quote] >For $40 dollars, I can put my computers > behind a firewall and forget about it cause it ain't going to be hacked by > anybody and it has good performance and reliability. [Quote] Somebody will always hack into something given enough time. > -----Original Message----- > From: Jean-Christophe VALIERE [mailto:jyce@xxxxxxx] > Sent: Thursday, June 24, 2004 4:28 PM > To: General Red Hat Linux discussion list > Cc: ottohaliburton@xxxxxxxxxxx > Subject: Re: Router/Firewall Recommendation > > > On Thu, 24 Jun 2004 01:17:43 -0500 > "Otto Haliburton" <ottohaliburton@xxxxxxxxxxx> wrote: > > > > > > > > -----Original Message----- > > > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > > bounces@xxxxxxxxxx] On Behalf Of Rodolfo J. Paiz > > > Sent: Thursday, June 24, 2004 12:53 AM > > > To: General Red Hat Linux discussion list > > > Subject: Re: Router/Firewall Recommendation > > > > > > At 04:30 PM 6/22/2004, Mark Dadgar wrote: > > > >On Jun 22, 2004, at 11:48 AM, Otto Haliburton wrote: > > > >>I would put all my computers behind the linksys router > and forget it. > > > > > > > >I agree. You've got a purpose-built appliance device > instead of a > > > >general-use OS with all of it's myriad exploits. > > > > > > Both of you have made reasonable choices. However, it is > a mistake to > > > believe that those are *always* the correct choices, or > that they are so > > > for all users. > > > > > > Example: I have a "purpose-built appliance device" as a > firewall. It works > > > as seamlessly and effortlessly as my toaster, never needs > any attention, > > > and works like a charm. It's of course an old Dell P/166 > with 64MB of RAM > > > and a 2GB hard drive on a UPS. Please note some of the > characteristics: > > > > > > 1. It has *very* few packages installed from > Fedora Core 1 and > > > only 390MB used on disk. No "myriad exploits" here. If > it's not installed, > > > it can't be hacked. > > > > > > 2. It allows *one* thing in from the Big Bad > Outside: SSH, with > > > keys and no passwords. All other ports are blocked by iptables. > > > > > > 3. Its few services are specifically configured > not to listen to > > > outside ports. Harder to hack. > > > > > > 4. It is intelligent enough to detect a port > scan or a probe to > > > certain hostile ports and will unceremoniously black-hole > an attacker into > > > -j DROP for 3 days at the very first ping. > > > > > > 5. It routes, masquerades, and firewalls for my network. > > > > > > 6. It serves DHCP, internal DNS, and NTP to my > internal network. > > > > > > 7. It cost me $0 since I got a few old computers > donated to me. > > > > > > 8. It can use *any* reasonable method for > outgoing connections. > > > Dialup, ISDN, Ethernet, cable, wireless, satellite... > whatever can be > > > configured in a PC, I can make work. > > > > > > 9. MRTG allows me to check bandwidth used > precisely, in any way > > > *I* choose, and monitor it dynamically. Helps when using burstable > > > connections and arguing your bill. Saved me over $750 > already by helping > > > me > > > win arguments. > > > > > > 9. I can replace it in 1 hour flat at any time > of day or night, > > > any place, by merely running the install again on *any > other available > > > computer* and copying over my configuration files from > the backup disk. > > > > > > 10. I feel safer and more secure knowing that > the code that > > > protects me is (a) publicly and thoroughly scrutinized, > (b) actually used > > > in many hardware firewalls <grin>, (c) going to continue > being supported > > > and improved over time, and (d) customizable to the N-th degree. > > > > > > 11. The *very same configuration* was used to > set up my office > > > building's firewall (with four internal networks and five Ethernet > > > adapters), for the modest cost of $30 (we used an older > and very reliable > > > server with lots of PCI slots). Saves us easily $900 PER MONTH. > > > > > > I'd be happy to go on, but that's enough for now: > > > > > > Did I have to learn more? Yes. Are there more moving > parts, more points of > > > failure, and more power consumption? Yes. Does it take up > more space? Yes. > > > Even with 300-to-400 days of uptime on average, will I > reboot, update, > > > upgrade, or otherwise maintain it more frequently? Yes. > On the other > > > hand... > > > > > > Do I feel more secure? Hell yes. Does it provide more > services? Yes. Does > > > it do *exactly* what I want in each case, adapted to the > individual > > > circumstances? Yes. Is it more easily replaceable for me? > Yes. Does it > > > cost > > > less? Yes! (Can't beat $0.) So do I prefer building a > firewall with Linux? > > > Hell yes! > > > > > > So why do I teach some people to build a Linux box (or > hire me to do so > > > for > > > them), and why do I tell others to buy Netgear or Linksys > boxen? Why is it > > > that (in that office firewall) one network is directly > connected to this > > > firewall, two are behind *another* Linux box each doing > > > firewall/masquerading/samba/etc for them, and the last is > behind a little > > > blue box? > > > > > > Why indeed? Because THERE IS NO RIGHT ANSWER FOR > EVERYONE. Let's help each > > > person find what's best for them. > > > > > > Cheers, > > > > > > >Just run the hardware firewall and forget about it. > > > > > > > >- Mark > > > > > > And please, for the love of God, whatever you do, *don't* think of > > > security > > > as a "just forget about it" issue. > > > > > > > > glad you have the time and energy to do what you do and it > works for you. > > With all the maintenance and stuff, I am glad you have the > time to do it and > > I can tell you are deep into it. For $40 dollars, I can > put my computers > > behind a firewall and forget about it cause it ain't going > to be hacked by > > anybody and it has good performance and reliability. So if > you got the time > > and stuff, that is good for you. Are you more secure no. I > mean large > > corporations would have a perfect solution with your hook > up but they are > > very vulnerable with this setup. Routers have their > problems and in to > > enable certain features you can open up, but for all > practical purposes > > individuals don't need to do that. So for the cost factor > you can't beat > > the hardware router. Cheers!! > > I think you don't really understand the way of open > source too. For most of us > running a firewall on a computer is a way of learning, having > fun and is secure > enough. If you log all connections on you firewall what is > wrong with your firewall. > Of course it is better to use dedicated hardware but it is > not the goal of much of us. > Finally for only 5.000$/year you can let a company > manage your firewall/domain > and so on. ;) > > > > > > > > -- > > redhat-list mailing list > > unsubscribe > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
