Well, turning off all services is a given. But if I wanna run FTP, what makes it any more secure on any box from the firewall?? If its gonna be broken into, forwarding the port to another machine loses this ability??
This doesn't make sense to me. Normally, once they have broken behind the firewall, its generally a given they can get to other machines unless you have every machine behind its own firewall too.. Please, what am I missing? > -----Original Message----- > From: Cal Evans [mailto:[EMAIL PROTECTED] > Sent: Monday, September 29, 2003 4:17 PM > To: [EMAIL PROTECTED] > Subject: Re: [gentoo-user] e-mailing log files > > > I believe I first read it here. > http://www.oreilly.com/catalog/bssrvrlnx/ > > But it is common and accepted knowledge based on the fact that on a > firewall, what is no there, cannot be cracked. > > If your firewall has only the bare services running then it > is much more > difficult to crack. I (as I'm sure others do) break this rule > to make a > firewall useful but I believe all of mine run only the basics > (IPTables, > Squid, DHCPD, DNS) + the needed support libraries. > > Taking it one step further distro's like (www.netboz.org) > allow you to > build a firewall without a HD. That which cannot be written > to cannot be > permanently compromised. > > IMHO, etc. > =C= > > > -- > * Cal Evans > * http://www.eicc.com > * We take care of your IT, > * So you can take care of your business. > > > Jeffrey Smelser wrote: > > > oh? Why is this? And where can I read this bit of info as I > would like to see how that would be so much more secure.. > > > > I am always willing to learn something new. > > > > > >>-----Original Message----- > >>From: Jose A. Hernandez [mailto:[EMAIL PROTECTED] > >>Sent: Monday, September 29, 2003 4:00 PM > >>To: [EMAIL PROTECTED] > >>Subject: Re: [gentoo-user] e-mailing log files > >> > >> > >>On a side note, it is usually not a good idea to have the > >>firewall and > >>the services you want to run all on the same machine. Makes it > >>inherently a more insecure setup. If you can, keep the firewall > >>physically separated from the rest of the services. You'll > >>have greater > >>security that way. > > > > > > > > -- > > [EMAIL PROTECTED] mailing list > > > > > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
