Bruce Marshall wrote:
On Wed December 3 2003 03:39 am, John Andersen wrote:
On Tuesday 02 December 2003 06:33, Sid Boyce wrote:
I wonder how current the commercial boxes are, especially with updates when vulnerabilities are discovered.
Exactly right Sid. For the price of a second nic ($5 at a flea market) you can protect your entire net with any of your linux boxes and never even notice the load. Even an old machine you might consider junking has enough gas to pass packets as fast as your calbe modem or dsl can deliver them. I use an old pentium 120 for this - running headless (no monitor) over in the corner, and manage it with ssh.
Most of these firewall/routers are running some long obsolete version of linux, and many are not upgradeable. They are far more hackable than the companies lead you to believe, and have been frequently shipped with commonly known passwords.
In the process you will have to learn at least a smattering of things about iptables ( shorewall makes it childs play ), dhcp server setup, and that's about all that is necessary. The rest is optional.
The only thing the commercial boxes have going for them is they are getting so cheap ($30-$80) that those too busy to learn can still use them.
But "too busy to learn" does not sound like a LInux user.
Just my $.02 but I really think you (John) are going a bit overboard on this. I once had to set up a small household LAN with two machines, both linux and using DSL for a connection. I originally set it up with a 2 nic setup and it worked fine. But for several reasons, decided to switch to a Linksys router.
One reasons were:
1) I wouldn't always be around to trouble shoot any problems that might come up with a 2 machine setup. 2) The extra machine would be running all the time when it wasn't being used for anything but a firewall. (not a big deal) 3) No UPS so that any power problems and subsequent boot problems would have to be dealt with. 4) The Linksys box handled forwarding of requests without much of a hassel.
and the main reason:
5) I found the Linksys box to be a much tighter firewall than the linux box. (based on nmap from an outside scan) And yes, I had the firewall set up like I wanted it. Yes, you could probably screw things as tight as the Linksys box but that can create problems too.
So I don't think you are doing people any big favors by brow-beating them into using a firewall machine. Every situation needs to have its own proper solution.
I just think people should be aware of the options and they are many. If I suffer a power cut - I never remember to replace the UPS (and get new batteries for this one) when I have all boxes down - and my daughters need to use the machines while I'm away, they just boot up floppyfw which is preconfigured and they are on the net. An extra machine can be very basic and out of the way, a case/PS, motherboard, a 486, 8M or so of memory, a floppy and 2 NIC's. It can't consume much more power than the nice painted box, itself a firewall machine. Then there is the question of whether it can be kept current with the changing nature of attacks and intrusions. Outside nmap scans -- I haven't tried it, but you might give me a report on 82.37.88.186 running BBIagent. Regards Sid. -- Sid Boyce .... Linux Only Shop.