On Tue, 2002-06-25 at 19:12, George Toft wrote:
> George's $0.02.
> 
> In the area of running boxes inside a network (LAN) that has a firewall
> protecting them from the bad Internet, I am at odds with some
> corporations, who shall remain nameless.  I feel every box on the
> network should be able to stand on its own without the firewall (at
> least for a few hours).  This provides redundancy - if the main firewall
> fails or is compromised, you have one more layer of protection.  Look at
> it like a bank - do you think they use just one lock to keep the bad
> guys out?
> 
> Yes, I practice what I preach - my workstation runs a firewall just as
> strong as my dedicated hardware firewall.  That way, if I goober up the
> hardware firewall, I'm not left naked with my arse hanging out.
> 
> So running ipchains on an internal box is not a bad thing - just make
> sure you know why you are doing it.
----
thanks for the naked metaphor

If you looked at his ipchains rulesets, you would know how much
consideration had been given to them. That was my point.

I had a customer...a patent engineer, ee, tcl programmer and all around
very intelligent guy install firewall software on his computer and
couldn't figure out why he couldn't print or see the file servers, etc.
He couldn't log in to the Windows domain controller but his computer was
safe. I agree with you...know why you're doing it but you also need to
know how to do it.

Craig