Router/Firewall Recommendation
Ed Wilts
ewilts at ewilts.org
Wed Jun 23 14:12:22 UTC 2004
On Wed, Jun 23, 2004 at 08:27:40AM -0500, Otto Haliburton wrote:
> I'm not sure what you mean, but you can't get a better firewall than not
> projecting the ip of the internal computer to the outside world. Remember
> 'nat' there is no better or in depth firewalling.
NAT will only protect you from inbound new connections. It does
absolutely nothing if you have a rampant application on your Windows box
that opens a port to the outside world.
Similarly, you can rely on tcpwrappers to control most inbound
connections but outbound is still a free-for-all unless you add iptables
to the mix.
For the best security, a well designed and implemented iptables
configuration will be better than a hardware firewall. However, for
those looking for "good enough" solutions that solve the most common
attacks, a hardware firewall like a Linksys router/firewall box does the
job fairly well.
Personally, I use a Linksys router/firewall with some predetermined
ports forwarded to my Linux system (none to my Windows systems) and add
tcpwrappers to restrict which hosts are actually allowed to use that
service. For example, ssh makes it through the firewall but tcpwrappers
restricts the incoming connections to my office subnet.
Another important thing to note is the maintainability of the firewall.
If my Linksys ever dies, I can throw in another one in no time flat with
a fast trip to a local store. If you use a Linux system and have a
hardware failure, you're in for a lot more work.
--
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program
More information about the redhat-list
mailing list