Re: Linux server as it own firewall

From: Ross Vandegrift (ross@willow.seitz.com)
Date: 09/12/01


From: Ross Vandegrift <ross@willow.seitz.com>
Date: Wed, 12 Sep 2001 15:56:00 -0400
To: James Puckett <jpuckett@ticom.com>
Subject: Re: Linux server as it own firewall
Message-ID: <20010912155600.A16865@willow.seitz.com>


> Overall I am really against the idea, but in the long run working this way
> could save some money, and if it looks like the system won't be made too
> insecure this could be a viable idea.

I run *all* my boxen like this, and have never found it to be less secure than a
seperate firewall machine - be aware that it is a good bit more problematic and
much harder to manage. Different machines will probably need different rules, and
it can be hard to keep them straight.

To me, though, it seems like a logical solution to running 'bad' services on
internet hosts for internal reasons. For example, my boss likes to rw-NFS mount
our hosts on our internal network. Each NFS server has an iptables firewall
ruleset that includes "deny NFS access to the internet!" type rule.

It has proven to be a very powerful way of controlling access - don't think of it
as a firewall on a host. Think of it as TCP Wrappers, but *really* jacked up ::-)

Ross Vandegrift
ross@willow.seitz.com