firewall musings [H-GEN]

Tony Nugent tony at linuxworks.com.au
Wed Apr 16 06:27:18 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Wed Apr 16 2003 at 18:17, Sandra Milne wrote:

> Subject: Re: [H-GEN] Smoothwall dialling problem

(alas no solution to that one, and methinks it be time for a subject change:)

> Out of curiosity, why does a "home user" need a web proxy?! I've considered
> setting one up, but only as an exercise in setting up a web proxy. I have
> no need for one, and there are several users on my home network. Even with
> my dodgily low quota from optusnet, I still don't see the reason that a
> "home user" would need a web proxy. Most of the "home users" I know don't
> even use 100meg of data in a month.

I have a proxy setup (internally) on my firewall - put there mostly
"by habit".  But I agree - I don't need it.  Definitely overkill, in
fact it is turned off - I don't actually use it:)

> Sandra. "power user"

I have a very similar setup at home, and it works well (the quirky
mtu problems of adsl aside).  Probably most of us here are using a
dedicated firewall box for small home/office networks (for both
dialup and broadband).

I'm curious... what are you (and others here) using as the basis
(ie, the distro) for your firewall?  Why?

Are you using a dedicated firewall distribution (eg, smoothwall), or
perhaps a cut-down (and "more familiar") debian / redhat / mandrake
whatever, tuned to act as a firewall?

The box is your permanent internet connection, so it is turned on
24/24... a logical and convenient choice as a small network server.
So what other internal and external network services do you run on
that box?

And a more general question... take the case a firewall box that is
on a permanent IP.  It is masquerading a (moderately busy) network
behind it, and the IP offers (public) network services like smtp (mx
hosting), dns, pop/imap, and perhaps even www.  (And ssh of course:)

There are two solutions:
- run most/all the services on the firewall, or
- dedicate the firewall to doing just that (using an older box), and
  then have it port-forward these sorts of services to the "real"
  server(s) behind it.

It would seem that the second case would be more secure, but is it?
(really?)  For a relatively small network, is the necessity for
using (at least) two boxes and the additional routing complexity
really worth the gains?

> silne at optusnet.com.au
> "There are 10 types of people in the world -- those that understand binary,
> and those that don't."

<grin:>

Cheers
Tony

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list