Re: Linux server as it own firewall

From: Ross Vandegrift (ross@willow.seitz.com)
Date: 09/12/01


From: Ross Vandegrift <ross@willow.seitz.com>
Date: Wed, 12 Sep 2001 15:56:00 -0400
To: James Puckett <jpuckett@ticom.com>
Subject: Re: Linux server as it own firewall
Message-ID: <20010912155600.A16865@willow.seitz.com>


> Overall I am really against the idea, but in the long run working this way
> could save some money, and if it looks like the system won't be made too
> insecure this could be a viable idea.

I run *all* my boxen like this, and have never found it to be less secure than a
seperate firewall machine - be aware that it is a good bit more problematic and
much harder to manage. Different machines will probably need different rules, and
it can be hard to keep them straight.

To me, though, it seems like a logical solution to running 'bad' services on
internet hosts for internal reasons. For example, my boss likes to rw-NFS mount
our hosts on our internal network. Each NFS server has an iptables firewall
ruleset that includes "deny NFS access to the internet!" type rule.

It has proven to be a very powerful way of controlling access - don't think of it
as a firewall on a host. Think of it as TCP Wrappers, but *really* jacked up ::-)

Ross Vandegrift
ross@willow.seitz.com



Relevant Pages

  • Re: Using netmask ffffffff
    ... The most important thing these new hosts need is connection to the outside world, for internet browsing, webmail access, fetch some documents from remote sites they forgot to bring with them for the conference, etc. ... the new hosts should not be able to directly contact each-other or the majority of my internal network. ... The trouble is that even if I set-up firewall rules to filter their traffic, they can still communicate behind the firewall directly through the switch they are all connected to, as only their internet traffic will go through the firewall. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Using netmask ffffffff
    ... I am not trying to use the /32 mask for my entire network. ... The most important thing these new hosts need is connection to the outside ... The trouble is that even if I set-up firewall rules to filter their ... the switch they are all connected to, as only their internet traffic will ...
    (comp.unix.bsd.freebsd.misc)
  • Re: avast
    ... > Just did a clean installation of xp pro sp1 and download 'avast anti ... Did you firewall before connecting to the internet? ... Internet and patch with the critical updates? ... Why you should use a computer firewall.. ...
    (microsoft.public.windowsxp.general)
  • RE: Testing load balanced servers behind NAT
    ... I'm not firewall expert, but you could use FIREWALKING(a traceroute-like ... free* solution in network security, ... is there any other documentation on identifying hosts behind ... accessible to the Internet. ...
    (Pen-Test)
  • Re: XP NOT RESPONDING
    ... Did you have a firewall going before connecting to the internet? ... Microsoft has these suggestions for Protecting your computer from the ... Why you should use a computer firewall.. ... are pay - some you can only download if you are registered - but it is best ...
    (microsoft.public.windowsxp.setup_deployment)