Re: [SLE] Which Cable/DSL Firewall?
From: Sid Boyce (sboyce_at_blueyonder.co.uk)
Date: Wed, 03 Dec 2003 20:24:13 +0000 To: SLE <email@example.com>
Bruce Marshall wrote:
>On Wed December 3 2003 03:39 am, John Andersen wrote:
>>On Tuesday 02 December 2003 06:33, Sid Boyce wrote:
>>> I wonder how current the
>>>commercial boxes are, especially with updates when vulnerabilities are
>>Exactly right Sid.
>>For the price of a second nic ($5 at a flea market) you can protect your
>>entire net with any of your linux boxes and never even notice
>>the load. Even an old machine you might consider junking has enough
>>gas to pass packets as fast as your calbe modem or dsl can deliver
>>them. I use an old pentium 120 for this - running headless (no monitor)
>>over in the corner, and manage it with ssh.
>>Most of these firewall/routers are running some long obsolete version
>>of linux, and many are not upgradeable. They are far more hackable
>>than the companies lead you to believe, and have been frequently
>>shipped with commonly known passwords.
>>In the process you will have to learn at least a smattering of things
>>about iptables ( shorewall makes it childs play ), dhcp server setup,
>>and that's about all that is necessary. The rest is optional.
>>The only thing the commercial boxes have going for them is they
>>are getting so cheap ($30-$80) that those too busy to learn can
>>still use them.
>>But "too busy to learn" does not sound like a LInux user.
>Just my $.02 but I really think you (John) are going a bit overboard on this.
>I once had to set up a small household LAN with two machines, both linux and
>using DSL for a connection. I originally set it up with a 2 nic setup and it
>worked fine. But for several reasons, decided to switch to a Linksys router.
>One reasons were:
>1) I wouldn't always be around to trouble shoot any problems that might come
>up with a 2 machine setup.
>2) The extra machine would be running all the time when it wasn't being used
>for anything but a firewall. (not a big deal)
>3) No UPS so that any power problems and subsequent boot problems would have
>to be dealt with.
>4) The Linksys box handled forwarding of requests without much of a hassel.
>and the main reason:
>5) I found the Linksys box to be a much tighter firewall than the linux box.
>(based on nmap from an outside scan) And yes, I had the firewall set up
>like I wanted it. Yes, you could probably screw things as tight as the
>Linksys box but that can create problems too.
>So I don't think you are doing people any big favors by brow-beating them into
>using a firewall machine. Every situation needs to have its own proper
I just think people should be aware of the options and they are many. If
I suffer a power cut - I never remember to replace the UPS (and get new
batteries for this one) when I have all boxes down - and my daughters
need to use the machines while I'm away, they just boot up floppyfw
which is preconfigured and they are on the net. An extra machine can be
very basic and out of the way, a case/PS, motherboard, a 486, 8M or so
of memory, a floppy and 2 NIC's. It can't consume much more power than
the nice painted box, itself a firewall machine. Then there is the
question of whether it can be kept current with the changing nature of
attacks and intrusions. Outside nmap scans -- I haven't tried it, but
you might give me a report on 188.8.131.52 running BBIagent.
-- Sid Boyce .... Linux Only Shop. -- Check the headers for your unsubscription address For additional commands send e-mail to firstname.lastname@example.org Also check the archives at http://lists.suse.com Please read the FAQs: email@example.com