I concur completely with your statements. While it is possible toThat's not the case if you want anything more than a simple, low performance nat box -
configure a linux system to act as your firewall such a system must be
hardened as much as possible. To me that means you don't load anything
but the bare minimum of packages needed to perform the firewall function
and disable all ports that are not required by the firewall. And such a
system must be monitored constantly for any signs of tampering. One of
the low cost hardware firewalls, such as linksys, netgear, or any of the
others provides a dedicated box that performs its function well.
Keepbah - I have several linux systems on the inside - but the firewall is linux too, no need for anything else.
your linux system on the inside were you can load any of the latest
packages or tools that you want to play with knowing that you are
protected fairly well by the dedicated firewall.
In a bigger shop, the boxes tend to be a bit more specialized - but even then linux tends to be used for multiple things - for instance the firewall is often the squid proxy and vpn server as well...
And as you pointed out your entire network is not deprived of Internet
access when you want to reboot your machine after applying the latest
kernel patch (once you can get it downloaded).
(?) you don't have to shut down the firewall/network to run up2date...
Or after you have
applied that latest patch and your system becomes unstable you will
still be able to access the network with another box to get the
information needed to get the system back in operation.
I dunno, I just don't seem to have these problems with linux - as for reboots, the box is down for maybe 30-45 seconds, once in awhile for a kernel update - that's easy to work around, just schedule the boot to the new kernel wisely.
Different strokes for different folks I guess - your ideas do have some merit, but we prefer the server consolidation approach - rather than the windows approach of multiple dedicated boxes, we leverage the strengths of linux by loading a small number of linux boxes with a lot of work - and linux does it all gladly, without complaints and without downtime - and with excellent performance.
This is not to say that the cheap firewalls are fool proof but because they are so simple there is not much that can go wrong with them. And while I have built many servers with lots of services loaded on them I still believe utilizing dedicated machines for critical functions is the best way to go. When something goes wrong it is much easier to trouble shoot a machine that has just one or two major functions than one that runs email, dns, ntp, oracle, apache, samba, print services, file sharing, lotus notes (built 43 of these beasts at one job with all that stuff). And when that machine goes south only a couple of parts of your enterprise is affected instead of every major service. Also makes it easier to get those services up and running on a temporary machines quickly.
Joe
-- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
