[NTLUG:Discuss] Re: firewall/router to protect M$ box

Leroy Tennison leroy_tennison at prodigy.net
Sat Jul 16 06:21:27 CDT 2005 

Terry wrote:

>On 7/15/05, Johnny Cybermyth <djcybermyth at sbcglobal.net> wrote:
>  
>
>>That is a question for the experts(other's on the list).  I would
>>imagine that you could use your main linux box to serve up Internet
>>access with great firewalling with virtually no performance hit to your
>>main box.  GNU/Linux runs a firewall all of the time anyway on most
>>everyone's machine so it would be a matter of how resource hungry
>>masquerading is.
>>
>>Anyone else?
>>    
>>
>
>
>A firewall is only a truly secure and effective firewall if it's a
>stand alone device.  In other words, you need to dedicated a machine
>to be firewall, put 2 nicks in it and load only the necessary apps and
>a customized rc.firewall script.  Or install smothwall or ipcop.  I
>use ipcop.  See smoothwall.org or ipcop.org
>If it's a 200MHz or so with 64 or 128M RAM, it'll be fine for a
>firewall for a small LAN.
>
>
>
>  
>
>>  tr_data1 wrote:
>>    
>>
>>>>From: Johnny Cybermyth <djcybermyth at sbcglobal.net>
>>>>Subject: Re: [NTLUG:Discuss] Re: Discuss Digest, Vol 31, Issue 19
>>>>
>>>>I have a DSL account with SBC Yahoo!.  I set my home network up
>>>>using an older p2 box running a stripped down version of suse(v6.2
>>>>I think) as a firewall/router.
>>>>
>>>>[chg to h/w firewall/router resulted in insufficient protection to M$]
>>>>        
>>>>
>>>That's my belief as to what would happen. I was kind of hoping that the
>>>h/w ones were more robust by now. Some even talk about SPI and
>>>DoS protection. I'd rather not have a monthly/yearly expense of virus
>>>protection s/w on the M$ box either if going through a firewall catches
>>>most things.
>>>
>>>If your main box was/is Linux, would you still have a separate machine
>>>for the firewall/router? I have a k6/233 not being used right now but
>>>it doesn't seem worth the elec$/heat/space expense vs running on my
>>>main box. What are the advantages? I can't imagine such a task would
>>>consume much ram/cpu/disk. Right? Or is it a matter have having all
>>>the ports, etc more tightly controlled on the firewall/router box?
>>>=TR=
>>>
>>>
>>>_______________________________________________
>>>https://ntlug.org/mailman/listinfo/discuss
>>>
>>>      
>>>
>>_______________________________________________
>>https://ntlug.org/mailman/listinfo/discuss
>>
>>    
>>
>
>
>  
>
Questions and comments:

What brand of H/W firewall were you using?  For some of them "firewall" 
means nothing more than NAT (what a joke).  I'm using SMC's 7004VBR 
which does stateful inspection but I also have iptables enabled on my 
Linux PC which is behind the 7004VBR and didn't settle for just the 
default settings.  Went and Googled on iptables and found some good 
ideas which I implemented.  Haven't taken the time to look at my logs, 
guess I should.

I have a Windows machine but rarely use it (mainly for compatibility 
testing) so I can't speak to M$ vulnerabilities from personal experience 
(it's not connected to the Internet).

The only reason I can see for needing a dedicated host for a firewall 
would be the other services you might want to run on a non-dedicated 
host.  I don't know if holes are introduced by running such things as 
cups and X but, in general, the more "listening" services running the 
more risk.  If you decide to go this way take a careful look at what you 
want to run (and do run) and do your research on the possible 
vulnerabilities.

Another issue is that a firewall is only part of the defense because it 
is a packet level application.  Configuring a firewall to allow only 
inbound traffic on connections you request (my understanding of what spi 
really is) has no benefit if you decide to make or accept a "connection 
offer" at the application level.  What I mean here is double-clicking on 
email attachments, or visiting questionable websites.  For the latter, 
the real problem is deciding "what is questionable".  I'm personally 
opposed to porn but I have found myself unwittingly landing on a porn 
site a couple of times just from my Web searches and mis-typing a "good" 
web site's name.  An example of a porn site's "opportunism", if it's 
still out there, is whitehouse.com (I believe that's the URL, the 
website for the US White House is whitehouse.gov).  You have to think 
about the kids here, they will mis-key website names and likely not have 
the discretion adults would have about what web sites they visit.

I'm reading things which say that a proxy has more granular control over 
content than a firewall and am considering looking into Squid as a 
result.  Can anyone who has experience with Squid  comment on this?  Thanks.

More information about the Discuss mailing list