[EMAIL PROTECTED] wrote:
> The thing is, I'm confused about why I need to have a whole separate
> firewall machine sitting between my DSL jack and the rest of my public
> network. Doesn't that control the inflow/outflow of each of the boxes
> on the other side? Why does a firewall give me more security than just
> making sure that my boxes don't have open ports and unnecessary services
> turned on? Soon as I need a service, don't I need to open up a hole in
> the firewall anyway?
I can think of three reasons to have a separate firewall machine.
First, if the firewall is only used to restrict access, it's less
likely that you'll accidentally enable something as a side effect of
something else. (E.g., an OS upgrade adds a new service.)
Second, if somebody breaks into the firewall, they still haven't
gotten to the machines where you keep your good stuff. (This assumes
that you're paranoid enough that your "real" machines don't trust
the firewall.)
Third, on machines that are completely behind the firewall, you can
turn on extra services for use behind the wall. For example, my main
box serves files using FTP, Samba, and Appletalk, but only within the
house. While it's theoretically possible to set up ipchains to
prohibit access to these particular services, it's a lot easier to get
it right if you know that outside traffic can't even reach that box.
(This kind of contradicts the second point -- if my firewall were
compromised, the main machine would be easy to break into.)
> I'll have three boxes that will need to have static IPs for one reason
> or another. Could I instead easily just make one be a firewall for itself
> and the other two so I don't have to get myself yet another linux box?
> How would that work? Second nic to be the gateway of the other two even
> if the other two still have static IPs? Which document/book should I
> read to teach me about the more advanced parts of LAN networking?
If you find a good book, tell me about it. (-:
Have you looked at the ipchains HOWTO yet?
Also, while researching the VPN hack that I finally finished this
week, I learned that Linux packet filtering and routing are greatly
revised in the 2.3/2.4 kernels, but the documentation that's out there
right now looks pretty much useless.
--
K<bob>
[EMAIL PROTECTED], http://www.jogger-egg.com/
