The one who didn't bother to keep his box up to date? Seriously, I've seen people running some old, stone-stock redhat 6.x, in the current millenium, without any updates, and then were surprised when script kiddies discovered the vulnerable bind or ssh or whatnot.
So far as I recall the box was fully up to date -- the firewall rules were broken. I'm more than somewhat paranoid about security and the advice I always give is "keep it simple". A linux firewall is great, it's very fast, highly functional, provides everything you need for intrusion detection -- you'd be hard pushed to beat it, short of buying a serious Cisco firewall, any may well even beat that.
For someone who is in the process of setting up a home network, going down the complexity route is a bad thing. You'll wind up hacked. My home system is as simple as I can get away with. The few ports I have open are open for a specific purpose and to a specific machine whose security is quite tight (although not hardened). I don't need a complex set of firewall policies so I can keep things nice and simple and I don't need to worry about getting the firewall policies just so.
At work it's slightly different. We have a DMZ here with moderately complex access to the DMZ. We also have people whose job is to look after the firewalls either side of the DMZ with all the monitoring that you _need_.
If you're setting up a home network with DSL access you have to ask yourself some questions. Like how much does it matter if you're hacked into? What do you want to use the network for? My system is not unusual -- we use it mainly for e-mail and web surfing. If you want a high-performance, cheap firewall then a Linux box or a NetBSD box would be a good place to start -- but be sure that you want to invest all the effort in getting it right and setting it up. My Netgear jobbie takes almost no maintenance and that's fine because I don't want to invest a lot of effort in maintaining it at home, I have other things I'm more interested in doing.
jch
-- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
