From: "Robert P. J. Day" <rpjday@mindspring.com>
> On Tue, 12 Nov 2002, jdow wrote:
>
> > From: "Dale Kosan" <dale_kosan@fastmail.fm>
> >
> > > Just for the record, most of the lower price dsl/routers also do port
> > > forwarding so you can still use ssh, samba, apache ect...
> >
> > But can they do side duty as a backup store for your other machines?
> > I put a modern large but only medium fast IDE drive in the cheap machine
> > and use it as a backup store, particularly when making massive changes
> > to the other machines. I had the old Pentium so I recycled it into a
> > handy interface machine with some backup store.
> >
> > {^_-} (I know storing backups on a firewall is not a good idea.
However,
> > since the firewall is closed down from the outside the internal
> > network is pretty much wide open. Once through the firewall the
> > rest is a cakewalk by comparison. I'd rather have the files I do
> > not want to lose have another redundant storage place. So I'd
> > need that old machine on the network, anyway. And pardon me,
it's
> > now 166 MHz. I recycled computers downwards when I upgraded my
> > compile machine a few months ago.)
>
> there is an advantage to having both a firewalling/filtering cable/dsl
> router and iptables on your host -- it's called "security in depth".
> this means that if someone tries to hack you, they first have to get
> through the firewalling on the router. granted, that may not be the
> toughest job in the world, but at least it slows them down.
>
> if they get through that, then they run up against your iptables
> configuration on your host. this isn't just a *second* barrier, it's
> a *different* *kind* of barrier. so they have a whole new problem,
> and they have to pretty much start from scratch.
>
> this wouldn't be the case if you had a linux iptables firewall, followed
> by iptables on your host. if you figure out how to break the first level,
> then you have a good start on getting through the second.
Um, I'm not about to play with a DSL router toy, get it speaking PPPoE
where I can't monitor performance properly, and try to punch my custom
little server holes to one or two specific (fully 32 bit defined) IP
addresses in it.
(When travelling I do like the idea of being able to sneak back to my
system here and use it's nicely filtered mail and use it, clumsily due
to internal "walls" (not really firewalls, though, just things like
file shares I don't leave up all the time on the gateway,) to get
"that blasted critical file I didn't copy to my laptop." The block
between the external world and the internal world would have to behave
pretty much like a smart filtering hub. It'd be an interesting challenge
to set such a thing up. That's an interesting case for setting up a BSD
machine as that "smart hub", if it can be done.)
(And note I didn't mention the internal password level security. Given
sufficient time passwords can be broken. And tcpwrappers is not much in
the way of security. So "in" requires spoofing iptables or getting through
iptables somehow in a high bandwidth manner that will allow repeated
password tries via ssh or other protocols with source address spoofing
on the packets that do make it through the iptables. It is rather a
blank wall to try to work against. I wonder how many people bother to
setup the tcpwrappers level of security on their systems. It's not much
but it can make doing anything once iptables is punctured rather on
the difficult side topologically speaking. "Ain't no way there from here.")
{^_^}
{^_^}
--
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
