Dave Ewart píše v Po 17. 01. 2005 v 14:19 +0000: > On Monday, 17.01.2005 at 14:05 +0000, Robert Brockway wrote: > > > >4. Configure the firewall as a 'forwarding' firewall, so that it doesn't > > >actually listen for any services of its own, with the exception of SSH > > >from a single IP on the 'GREEN' interface. > > > > Best practice has it that no services are run on the firewall (except ssh) > > to avoid someone being able to get in behind the firewall and bring it > > down. Do compare this though to the security of letting someone _through_ > > the firewall. If you are letting people into your internal network it is > > just asd bad unfortunately. A DMZ is needed for decent security but that > > may not be viable in a home setup. Security is about assessing risk vs > > the effort you want to go to (or can afford). > > We're doing the classic DMZ 'three-armed' network layout, nothing comes > directly into GREEN; the DMZ will house the publically-accessible > servers. > > > >Possible additional measures: > > > > > >5. Fine-tune kernel for routing and firewall behaviour; > > > > You're unlikely to stress the box enough to warrant it IMHO. Firewalling > > is packet evaluation and passing. If you are loading the box so much that > > you need to fine-tune it then getting a bigger box is a good plan. > > That's a good point ... :-) > > > >6. Allow firewall to use UDP on port 514 outgoing, to send syslogs to a > > >host on the GREEN network for logging. > > > > I wouldn't send syslog information outside the network unencrypted if I > > had a choice. There are ways to encrypt the data once it leaves the > > network. > > Oh, yes, I agree - by GREEN I mean the local private network of course. > My use of 'outgoing' was misleading ... :-) > > Thanks for your comments. > > Cheers, > > Dave.
PPTP is problematic.... I used it on 2.4.18 and 2.6.5. But with 2.6.8.1 not working me. Therefore i use OPENVPN now and it's much more better in all way. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
