Re: What's the point of not allowing all outgoing traffic by default?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Wed, 30 May 2007 20:05:43 -0500
On 29 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1180473997.491556.90730@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
linuxlover992000@xxxxxxxxx wrote:
Once upon a time I used to have my firewall running in a Linux box
(old PC consuming at least 150W). I then decided that I need to
conserve energy and purchased a NETGEAR FVS328 that consumes only 12W.
Was that a measured 150 watts? That's an enormous amount of power for a
pc being used as a firewall. By chance, did that also include a monitor
or display of some kind?
it seems that the theoretical risk in allowing all outbound traffic is
worthwhile
With obvious limitations, sure.
until I find a piece of hardware that consumes 12W-15W and is able to
run iptables, VPN, DNS proxy, NTP server
It's probably going to be a lot harder now, as the old stuff has largely
disappeared. The firewall at home (cable, dialout backup, masquerading a
number of systems on the LAN) is what is left of a 386SX-16 laptop of
uncertain origins (may be an Acer), with 8 Megs of RAM and an ancient
420 Meg disk. No case, no keyboard, no display. It's drawing about
15 VA, most of which is in that hard disk. I believe in running the
absolute minimum of services _on_ the firewall, so the DNS and NTP
servers are actually on the secondary file server.
and some additional useful tools (emacs?).
---------------------
"Emacs is a great OS. The only thing it lacks is a decent editor."
-------
It's actually Emacs that is the OS and GNU/Linux the device-driver.
-------
Actually I tried Emacs, but it kept asking for my credit card details to
buy a better computer to run on.
-------
Computers tend to come with at least 512Mb RAM these days. Half for X,
half for emacs, what's the problem?
---------------------
Everyone is always banging away at emacs, but
---------------------
"Thanks to the joint efforts of OpenOffice, Mozilla, and a few others, Emacs
officially entered the category of lightweight utilities." -- kalifa on /.
---------------------
Thank you all for your replies - you certainly helped me to make a
decision to allow all outbound traffic by default.
For a _standalone_ firewall, where you have the chance of windoze boxes
behind it getting 0wn3d, a rule that blocks _OUTBOUND_ SMTP except to
the ISP's smart server would not be unreasonable, although you look to be
comcast, and at least _some_ sections of the comcast network are finally
blocking it for you. "tcptraceroute", "hping3" (or hping2) and "mtr" can
be used to check this.
[compton ~]$ whatis traceroute tcptraceroute hping2 hping3 mtr
traceroute (8) - print the route packets take to network host
tcptraceroute (8) - A traceroute implementation using TCP packets
hping2 (8) - send (almost) arbitrary TCP/IP packets to network hosts
hping3 (8) - send (almost) arbitrary TCP/IP packets to network hosts
mtr (8) - a network diagnostic tool
[compton ~]$
Old guy
.
- References:
- What's the point of not allowing all outgoing traffic by default?
- From: linuxlover992000
- Re: What's the point of not allowing all outgoing traffic by default?
- From: flamer die.spam@xxxxxxxxxxx
- Re: What's the point of not allowing all outgoing traffic by default?
- From: AMR
- Re: What's the point of not allowing all outgoing traffic by default?
- From: linuxlover992000
- What's the point of not allowing all outgoing traffic by default?
- Prev by Date: Re: Firewall Affecting Website Page Load Speed?
- Next by Date: Re: What's the point of not allowing all outgoing traffic by default?
- Previous by thread: Re: What's the point of not allowing all outgoing traffic by default?
- Next by thread: Re: What's the point of not allowing all outgoing traffic by default?
- Index(es):
Relevant Pages
|
|
