On 11/18/2016 02:56 PM, Vojtěch Zeisek wrote:
Or something like https://omnia.turris.cz/en/ ?
To be honest that bothers me for reasons of what I can best describe as 'security architecture'. I realise that modern parlance mentions 'boundryless security' but I still like the idea of the CPE/router being a boundary. Given that, there are things that run at the boundary and things that don't. We see on some (perhaps NAT'ing) home option to pass though one or more ports, or even pass though everything to one machine, so making it 'not a firewall'. I realise that you shouldn't use a NAT as a firewall, a NAT is not a security device, but it does, or can, protect against gross stupidity wrt 'incoming'. unless you play with these settings. But what this device is doing is migrating functions that should be on the 'inside' of a boundary, either in the 'DMZ' or in the protected area, onto the router itself. Yes, I know, such isn't new. Back when, some of those 'packet inspection' (that didn't actually inspect the packet contents) that ran on SUN workstations were in a situation where CPU power so overwhelmed network demands that people who should have known better decided to put, and hence 'expose' various functions by running them the 'firewall'. Its not that you absolutely can't do this is a secure manner, setting up a boundary within the machine itself. its just that it takes a very specific security architectural approach and is not something that you do as an add-on to to a firewall. And it has to be tested in a very specific way,not simply the normal functional testing. The idea of being more 'efficient' by running more stuff to soak up all that unused CPU power etc is misguided. Given that you can implement a DEDICATED firewall on a Pi or Arduno and glue it to inside of a chassis as a "bump in the wire" to the LAN port, such misguided efforts at 'efficiency seems wrong brained to me. Repeating the errors of the past has got us into trouble before. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org