On Mon, Jul 21, 2003 at 07:36:59PM -0700, Joe wrote: > Ed Wilts wrote: > > >My recommendation would be to buy something like a Linksys router if you > >can afford it and put it between the DSL modem and the Linux system. > >The Linksys offers two things - a switch with NAT functionality to > >support other systems in your house, and a firewall that's on by > >default. Until you get comfortable configuring Linux in an always-on > >environment, it's nice to have a low-cost firewall that does the basics > >for you. > > > IMHO if you've got a linux box you've already got a much more > sophisticated and flexible router than a linksys could ever be - the > linux box can be the router/firewall, vpn server, dns server, mail > server, web/ftp server, dhcp server and more - but it's pretty easy to > set linux up just as as a basic nat firewall, and it's a good way to learn. The Linux system can certainly do it, but it's not ideal for me - your mileage, of course, will vary. My Linux system is my dns server, mail server, and ftp server (and more). It's not my firewall since it can be rebooted any time and the rest of my systems still work. I used to have my Linux system be the gateway. It didn't suit my purposes, but I know that many people do like it setup that way. Whatever works for you. I don't disagree that Linux is more flexible and sophisticated, but that's also its shortcoming - it's so powerful and sophisticated that most people can't drive it properly as evidenced by the many iptables and ipchains questions I've seen over the years. I also don't like the idea of having critical services on a firewall system. One system is breached, and the attacker is in. With my config, the attacker has to breach 2 separate systems to get anywhere. Yes, I could have a separate Linux system, and I've run that config too. It's yet another system to manage and keep up to date with security patches, maintain backups, etc. and a full system takes more heat and power. My Linksys firewall could die and be replaced with a quick trip to one of the local computer stores. If the Linux system fails, it could potentially be a lot more work (no mirroring on this system, for example). The Linksys also really wins for those Linux admins who don't take security seriously, and that's unfortunately more people that we want to admit to. It's more work to admin a Linux system that it is to admin a Linksys system. -- Ed Wilts, Mounds View, MN, USA mailto:ewilts@xxxxxxxxxx Member #1, Red Hat Community Ambassador Program -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
