decent non-embeded firewall (my worthless 2 cents)

Paul Mooring drpppr242 at gmail.com
Tue Mar 31 09:01:35 MST 2009 

OpenSuse has a limited gui in YaST for SuSE firewall that is essentially
a frontend for iptables, it seemed fairly easy to use when I last played
with it but I didn't care for the ruleset it generated, it seemed to be
way too much, and made it nearly impossible to edit the rules manually
through iptables.  Other than that if you want to do the iptables rules
by hand I really strongly recomend gentoo, it leaves out all the extra
packages like LFS, you can throught the hardened use flag on revelent
packages, and '/etc/init.d/iptables save' and the seems easier/cleaner
than maintaining a custom script to me.

On Tue, 2009-03-31 at 08:44 -0700, Bryan O'Neal wrote:
> It's a home box, rite now I just flip the power switch on my router when I
> sit down and maybe a few times while working (when being stormed).
> If I have to convert the available box over to a dedicated system then I
> may, but I also may just keep manually rebooting the Netgear.  It is an
> intermittent, but annoying, problem.  Though I suppose since my TV died I
> don't need a box hooked to my TV until I replace it anyway ;)
> 
> It's mostly a case of the cobblers children having no shoes. I would never
> have allow comingled device for my clients, but I don't mind having one for
> my self.  That and routing should not take that much power, after all high
> end embedded are designed to run on a PIII 500, my tv box way out strips
> this :) 
> 
> As for exposing everything on the network I would only expose one box, the
> one running the firewall.  Everything else would be sitting behind the
> firewall that currently suffers the reboot when flooded problem. 
> 
> Basically if I can not find a decent co-mingled product it is better to
> suffer the five days a month I have storm issues then to argue home
> esthetics with my wife. Although I was looking forward to being able to
> running things like snort and squid on the boarder box as well as having
> better logging then what my router currently does. However, again, it's not
> worth arguing with a pregnant wife that I need to put up another pair of
> minitowers, one box as a firewall/router and then another rite next to it as
> a proxyserver/monitor and then the router I have now. And then to tell her
> she can't surf on the main tv anymore would defiantly not be worth it.
> 
> Please remember, this is my home not a business, each box is independently
> firewalled, I encrypt all traffic on my privet net, and all but one box
> would sit behind the current firewall appliances.  Again, perhaps I am just
> an idiot but I don't see how this is so bad?  I am guessing there are people
> on this list running wireless networks with WAP and not encrypting traffic
> between their boxes so having a boarded box not running a dedicated
> distribution does not seem like heresy. Can one of the experts tell me
> (please) in hard numbers how having a co mingled boarder router that
> forwards approved traffic to an internal firewall router that then handles
> an internal net where all traffic is encrypted and each box has an internal
> firewall is so much worse then the average set up on the this list? Because
> I am seriously missing something as I just don't see how this substantially
> increases my risk beta. 
> 
> 
> 
> -----Original Message-----
> From: plug-discuss-bounces at lists.plug.phoenix.az.us
> [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of
> kitepilot at kitepilot.com
> Sent: Tuesday, March 31, 2009 3:59 AM
> To: Main PLUG discussion list
> Subject: Re: decent non-embeded firewall (my worthless 2 cents)
> 
> >> allowing me to keep the box hooked up for its "tv" centric features.
> DON'T!!! 
> 
> A firewall, is a firewall and is a firewall.
> In my perpetually delusional state of paranoia, I don't allow ANYTHING not
> indispensable on my firewall.
> And even though, I look for ways to eradicate... 
> 
> My firewalls run in LFS with ONLY what is essentially needed for the job. 
> 
> I even tried once "Debian from Scratch" and could not digest the amount of
> junk they insisted on putting in. 
> 
> my mantra:
> DO NOT USE YOUR FIREWALL FOR ANYTHING ELSE BUT THE FIREWALL.
> YMMV
> Enrique. 
> 
> PS: The fact that I am paranoid doesn't mean that they are not after me...
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list