Router/Firewall Recommendation

Jason Staudenmayer jasons at NJAQUARIUM.ORG
Thu Jun 24 20:32:12 UTC 2004 

[Quote]
>For $40 dollars, I can put my computers
> behind a firewall and forget about it cause it ain't going to be hacked by
> anybody and it has good performance and reliability.
[Quote]

Somebody will always hack into something given enough time.

> -----Original Message-----
> From: Jean-Christophe VALIERE [mailto:jyce at free.fr] 
> Sent: Thursday, June 24, 2004 4:28 PM
> To: General Red Hat Linux discussion list
> Cc: ottohaliburton at comcast.net
> Subject: Re: Router/Firewall Recommendation
> 
> 
> On Thu, 24 Jun 2004 01:17:43 -0500
> "Otto Haliburton" <ottohaliburton at comcast.net> wrote:
> 
> > 
> > 
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > > bounces at redhat.com] On Behalf Of Rodolfo J. Paiz
> > > Sent: Thursday, June 24, 2004 12:53 AM
> > > To: General Red Hat Linux discussion list
> > > Subject: Re: Router/Firewall Recommendation
> > > 
> > > At 04:30 PM 6/22/2004, Mark Dadgar wrote:
> > > >On Jun 22, 2004, at 11:48 AM, Otto Haliburton wrote:
> > > >>I would put all my computers behind the linksys router 
> and forget it.
> > > >
> > > >I agree.  You've got a purpose-built appliance device 
> instead of a
> > > >general-use OS with all of it's myriad exploits.
> > > 
> > > Both of you have made reasonable choices. However, it is 
> a mistake to
> > > believe that those are *always* the correct choices, or 
> that they are so
> > > for all users.
> > > 
> > > Example: I have a "purpose-built appliance device" as a 
> firewall. It works
> > > as seamlessly and effortlessly as my toaster, never needs 
> any attention,
> > > and works like a charm. It's of course an old Dell P/166 
> with 64MB of RAM
> > > and a 2GB hard drive on a UPS. Please note some of the 
> characteristics:
> > > 
> > >          1. It has *very* few packages installed from 
> Fedora Core 1 and
> > > only 390MB used on disk. No "myriad exploits" here. If 
> it's not installed,
> > > it can't be hacked.
> > > 
> > >          2. It allows *one* thing in from the Big Bad 
> Outside: SSH, with
> > > keys and no passwords. All other ports are blocked by iptables.
> > > 
> > >          3. Its few services are specifically configured 
> not to listen to
> > > outside ports. Harder to hack.
> > > 
> > >          4. It is intelligent enough to detect a port 
> scan or a probe to
> > > certain hostile ports and will unceremoniously black-hole 
> an attacker into
> > > -j DROP for 3 days at the very first ping.
> > > 
> > >          5. It routes, masquerades, and firewalls for my network.
> > > 
> > >          6. It serves DHCP, internal DNS, and NTP to my 
> internal network.
> > > 
> > >          7. It cost me $0 since I got a few old computers 
> donated to me.
> > > 
> > >          8. It can use *any* reasonable method for 
> outgoing connections.
> > > Dialup, ISDN, Ethernet, cable, wireless, satellite... 
> whatever can be
> > > configured in a PC, I can make work.
> > > 
> > >          9. MRTG allows me to check bandwidth used 
> precisely, in any way
> > > *I* choose, and monitor it dynamically. Helps when using burstable
> > > connections and arguing your bill. Saved me over $750 
> already by helping
> > > me
> > > win arguments.
> > > 
> > >          9. I can replace it in 1 hour flat at any time 
> of day or night,
> > > any place, by merely running the install again on *any 
> other available
> > > computer* and copying over my configuration files from 
> the backup disk.
> > > 
> > >          10. I feel safer and more secure knowing that 
> the code that
> > > protects me is (a) publicly and thoroughly scrutinized, 
> (b) actually used
> > > in many hardware firewalls <grin>, (c) going to continue 
> being supported
> > > and improved over time, and (d) customizable to the N-th degree.
> > > 
> > >          11. The *very same configuration* was used to 
> set up my office
> > > building's firewall (with four internal networks and five Ethernet
> > > adapters), for the modest cost of $30 (we used an older 
> and very reliable
> > > server with lots of PCI slots). Saves us easily $900 PER MONTH.
> > > 
> > > I'd be happy to go on, but that's enough for now:
> > > 
> > > Did I have to learn more? Yes. Are there more moving 
> parts, more points of
> > > failure, and more power consumption? Yes. Does it take up 
> more space? Yes.
> > > Even with 300-to-400 days of uptime on average, will I 
> reboot, update,
> > > upgrade, or otherwise maintain it more frequently? Yes. 
> On the other
> > > hand...
> > > 
> > > Do I feel more secure? Hell yes. Does it provide more 
> services? Yes. Does
> > > it do *exactly* what I want in each case, adapted to the 
> individual
> > > circumstances? Yes. Is it more easily replaceable for me? 
> Yes. Does it
> > > cost
> > > less? Yes! (Can't beat $0.) So do I prefer building a 
> firewall with Linux?
> > > Hell yes!
> > > 
> > > So why do I teach some people to build a Linux box (or 
> hire me to do so
> > > for
> > > them), and why do I tell others to buy Netgear or Linksys 
> boxen? Why is it
> > > that (in that office firewall) one network is directly 
> connected to this
> > > firewall, two are behind *another* Linux box each doing
> > > firewall/masquerading/samba/etc for them, and the last is 
> behind a little
> > > blue box?
> > > 
> > > Why indeed? Because THERE IS NO RIGHT ANSWER FOR 
> EVERYONE. Let's help each
> > > person find what's best for them.
> > > 
> > > Cheers,
> > > 
> > > >Just run the hardware firewall and forget about it.
> > > >
> > > >- Mark
> > > 
> > > And please, for the love of God, whatever you do, *don't* think of
> > > security
> > > as a "just forget about it" issue.
> > > 
> > > 
> > glad you have the time and energy to do what you do and it 
> works for you.
> > With all the maintenance and stuff, I am glad you have the 
> time to do it and
> > I can tell you are deep into it.  For $40 dollars, I can 
> put my computers
> > behind a firewall and forget about it cause it ain't going 
> to be hacked by
> > anybody and it has good performance and reliability.  So if 
> you got the time
> > and stuff, that is good for you.  Are you more secure no. I 
> mean large
> > corporations would have a perfect solution with your hook 
> up but they are
> > very vulnerable with this setup.  Routers have their 
> problems and in to
> > enable certain features you can open up, but for all 
> practical purposes
> > individuals don't need to do that.  So for the cost factor 
> you can't beat
> > the hardware router.  Cheers!!
> 
> 	I think you don't really understand the way of open 
> source too. For most of us
> running a firewall on a computer is a way of learning, having 
> fun and is secure
> enough. If you log all connections on you firewall what is 
> wrong with your firewall.
> Of course it is better to use dedicated hardware but it is 
> not the goal of much of us.
> 	Finally for only 5.000$/year you can let a company 
> manage your firewall/domain
> and so on. ;)
> > 
> > 
> > 
> > -- 
> > redhat-list mailing list
> > unsubscribe 
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list