Re: Higher-End Home FW Question
From: E. (loony_at_aliensmoke.org)
Date: Tue, 14 Dec 2004 18:01:04 +1100
> In article <3266v9F3gfa5iU1@individual.net>, email@example.com
>>>In article <3253gnF3guuq0U1@individual.net>, firstname.lastname@example.org
>>>>I have a *major* issue with your approach. It basically stops P2P
>>>>programs from running or communicating *after* the spyware-riddled
>>>>shitware has been installed.
>>>I agree, with a properly configured firewall appliance at the border
>>>users would not be able to download installers from the web in order to
>>>install those types of applications. As a simple example, unauthorized
>>>users behind our firewalls can not download any executable file using
>>>the http interface, and don't have FTP access either. All email is
>>>scanned for attachments and any executable file is removed from the
>>>email. We don't worry about those types of things making it in. We also
>>>ban the use of portable memory in the office, except for authorized
>>I just built an IPcop box for a client that does exactly that. Certain
>>types of downloads are banned (exe's, installers etc) chat sites and
>>programs are blocked as well as 'bad' sites and content.
>>A bit of thought, the right product and you can eliminate problems from
>>Viruses are basically a non-event for my customers now - even unknown
>>ones are blocked due to content rules and attachment filters.
>>Spam filtering is still a bit hit-and-miss though.
> I just started messing with RedHat FC3, it's a great platform, at least
> better than SUSE or Mandrake. It's the polish that does it for me - a
> GUI for every task that I might want to do.
> I'm going to have to look into some stand-alone linux build firewalls
> with filtering, but WatchGuard has just made my life sooo easy.
IPCop/Smoothwall is a good place to start. Easy to get up and going,
plenty of online material etc. Just make sure the NIC's are supported.
Unfortunately I don't get to do much with the Watchguard prods anymore
as I can do the filtering stuff with IPcop and VPN's with netgear boxes
a lot cheaper.
I advise clients that Watchguard's support is the best I've ever had,
anywhere, advise them of the features available but they generally make
decisions based mainly on initial costs. PLus the live sec sub's and
warranty renewals seem high to end users. Don't ask me why.