On Wed, Feb 21, 2001 at 08:22:52PM +0000, Conor Daly wrote:
> I go with the 486 firewall solution also. BTW, I had this idea of making
> the firewall box as untrusted as possible on the rest of the network as an
> extra layer of security (ie. if the firewall cannot telnet to any other
> box on the LAN it cannot do much and so on.). The idea being that if the
> firewall is compromised, the rest of the network is inaccessible from it
> anyhow. Or am I just dreaming? All the other boxen look to this as their
> gateway and internet router.
I would have thought that the boxes trust it *implicitly* - it is their
router, after all. :-)
IMHO, running services on a masq box is just begging for trouble.
Perhaps, without even the *potential* to run services - no init, just a
script that set up the various masq rules. Wouldn't it be nice if one
could embed the rules in the kernel too? Then one could just dd the
kernel onto a floppy, boot the router and have it do one's routing.
No userspace code at all. :-)
PS. Oh yes, and a separate intrusion detection box connected to the ethernets
on either side of this router by two `listen-only' ethernet cables...?
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!