[AccessD] OT: Firewall

John Colby jwcolby at ColbyConsulting.com
Mon Oct 10 14:17:16 CDT 2005


PCTech,

First let me say that signatures are a good thing.  We know what you like to
be called and can address you that way.

Second, I understand the "dedicated firewall" mentality, but for Joe Average
(me!) it is a non starter.  The effort involved in learning enough just to
get Linux installed is enough to kill the concept.  I have done that much
and all by itself it was enough to give me pause.  Believe me, I read about
such things and wish... But it ain't happening.  What is simple to a
"computer network engineer" is pretty much Greek to me.

And finally, what you are discussing is what high end routers with REAL SPI
etc firewalls built-in are all about are they not?  It is my understanding
that they are exactly that, real processors, running Linux, implementing a
firewall.  No hard disk to fail, no video to deal with, turns back on after
a power failure, instant on, etc.  I would be much more likely to go do that
than spend the time and effort building a Linux box to implement a firewall.
Even here, the difference between the $50 I actually spent and the $200 I
would need to spend for the real McCoy prevented that.

The simple router / NAT / firewall combination by itself pretty much
prevents the external probing kind of stuff (unless you have port mapping /
run a web server etc), and then the AV and software firewall picks up the
pieces not handled.  I have run this combination since going broadband about
4 years ago and have never had an infection, so I guess I have to say that
is "good enough".

I hate it when people rain on my parade, but I have considered this idea
several times in the past and just said no way it was going to really
happen.  OTOH, if you put together a "put in this CD, reboot and you will
have a hardware firewall" kind of package, I might be persuaded to try it.

John W. Colby
www.ColbyConsulting.com 

Contribute your unused CPU cycles to a good cause:
http://folding.stanford.edu/

Not to sound biased, but there are better no-cost/low-cost options out there
if you have a spare PC lying around.

Being a computer network engineer, part of my job is providing solutions for
my employer with regards to "all things network".  A document I recently
completed, and I consider at draft 1 stage, is a document on how to build a
Linux based firewall from bare metal on up.

It doesn't discuss the rule sets themselves, but the rule set configurations
are discussed in the documentation for the application used to create them.

Aside from a few initial setup tasks the majority of the firewall
configuration is done via a web interface adn a GUI interface.

This documentation also covers the installation of a transparent proxy and a
content filtering system.

Any firewall ran on top of Windows suffers from all of the inherent attacks
against the host OS.  Which is why I run a dedicated machine, even at home,
for my firewall, and it's not running Windows.
-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com





More information about the AccessD mailing list