On Sun, 2002-03-10 at 16:04, Dallas Helquist wrote:
> Others have stated this already, but here it is in one email:
> 
> If what you are looking for is strictly a firewall (something to
> block/filter incoming and outgoing traffic),  you should look for something
> that does only that.  Adding other things to this "firewall" - no matter how
> convienent they may be - is just asking for trouble.  Ever wonder why the
> big vendors don't sell firewall products that are also the company
> mail/web/file server?  They aren't stupid.
> 
> Now, the above rant aside...most home users want more functionality from
> their firewall device than just packet filtering.  I use mine for web,
> email, samba etc.  It's a dual 133 with a few nics in it - total cost
> including hub was $40.00US.  I put redhat7.2 on it, cleaned up the rc3.d
> directory, set up a simple iptables ruleset.  Instant firewall, albeit not
> very secure.  I also don't run anything behind it besides my home
> machines..and everything there is easy to recover.
> 
----
Asking for trouble is a comparative risk...at home, I have nothing of
value to a hacker except for a machine to use for an attack on someone
else I guess. Moreover, it's very instructive to see what goes on and
how things break. I know that a couple of years ago, I had some redhat
boxes that were hacked - I was running bind on these machines and it
should have been blocked on the external NIC and set to listen only to
the local lan in the first place but the bigger thing was that I learned
more by figuring out how these machines were hacked, what the hackers
did with them after gaining root then I would ever learn by using one of
the windows or internet/gateway/sharing device boxes for 5 years.

The best choice isn't always the easiest, most secure or popular -
sometimes the best choice is which can accelerate my knowledge of the
processes involved. I can tell that until I had set up a sophisticated
ipchains firewall / proxy setup, I wouldn't have figured out how piss
poor the $1000 Microsoft Proxy Server 2.0 was.

Here's a hint though - trying to work my way back to the original
topic...if all you want is a router/firewall box, the 486/low end
pentium is probably just fine. If you want a box that you can use for
other things, then the hardware used is likely to be much more important
and keep the following things in mind...

- use non-root accounts for login
- explicity block all packets on external ip/NIC except those that
  you absolutely need.
- locate (borrow/steal/ask) a rock solid firewall script
- log to system log (or better yet - a separate firewall log)
- look at the logs once in a while and understand them.

consider that this is all a worthwhile learning experience - the sum of
what you know is often enhanced by learning things that don't always
seem to be of such monumental importance.

Granted that in a business environment, I might suggest a more
conservative approach.

Craig