On Tue, 12 Nov 2002, jdow wrote:
> From: "Dale Kosan" <dale_kosan@fastmail.fm>
>
> > Just for the record, most of the lower price dsl/routers also do port
> > forwarding so you can still use ssh, samba, apache ect...
>
> But can they do side duty as a backup store for your other machines?
> I put a modern large but only medium fast IDE drive in the cheap machine
> and use it as a backup store, particularly when making massive changes
> to the other machines. I had the old Pentium so I recycled it into a
> handy interface machine with some backup store.
>
> {^_-} (I know storing backups on a firewall is not a good idea. However,
> since the firewall is closed down from the outside the internal
> network is pretty much wide open. Once through the firewall the
> rest is a cakewalk by comparison. I'd rather have the files I do
> not want to lose have another redundant storage place. So I'd
> need that old machine on the network, anyway. And pardon me, it's
> now 166 MHz. I recycled computers downwards when I upgraded my
> compile machine a few months ago.)
there is an advantage to having both a firewalling/filtering cable/dsl
router and iptables on your host -- it's called "security in depth".
this means that if someone tries to hack you, they first have to get
through the firewalling on the router. granted, that may not be the
toughest job in the world, but at least it slows them down.
if they get through that, then they run up against your iptables
configuration on your host. this isn't just a *second* barrier, it's
a *different* *kind* of barrier. so they have a whole new problem,
and they have to pretty much start from scratch.
this wouldn't be the case if you had a linux iptables firewall, followed
by iptables on your host. if you figure out how to break the first level,
then you have a good start on getting through the second.
anyway, you can never be too rich, too thin or have too many levels
of security.
rday
--
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
