Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] Firewall + server on one machine?
  • From: rhoerbe@xxxxxxxxxxxxxxxx
  • Date: Wed, 24 May 2000 14:46:26 +0200
  • Message-id: <OF7A799FC4.31814728-ONC12568E9.00457320@xxxxxxxxxxxxx>
You seem to imply, that firewall = ipchains + masquerading. The problem
with this approach ist, that you still forward pacakges from the hostile
net to the internal net. And vulnerable IP-stacks on internal system could
be attacked. If you build an application level firewall (using squid,
socks, plug-gw et. al), then ipchains is an add-on for improved security,
but you can make the system pretty save without it. But you would have to
turn off ip-forwarding, or have some rule in the forwar-chain of ipchains.
To harden a firewall and a server is quite similar ..

Rainer




Ragnar Beer <rbeer@xxxxxxxxxxxxxxxxx>
Sent by: suse-security-return-1812-rhoerbe=netpromote.co.at@xxxxxxxx
24.05.00 14:34


To: suse-security@xxxxxxxx
cc:
Subject: Re: [suse-security] Firewall + server on one machine?

>Hi
>
>You can build Rules for paketfiltering with Ipchains. That`s okay on a
>stand-alone-Machine. A real Firewall cannot save the same Machine where
>it is install.

I guess that's what I don't understand. If I can make separate rules
for incoming and outgoing packets isn't then the firewalling
something like a virtual machine in between? What would be the
advantage of having another (physical) machine if I have only one
machine to protect?

--Ragnar


---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx






< Previous Next >