On Sun, 2003-12-14 at 06:20, Richard Urwin wrote: > On Sunday 14 Dec 2003 5:37 am, Lyvim Xaphir wrote: > > Even at it's basic configuration, Shorewall is much better > > than a hardware router. > > Would you elaborate on that Lyvim? My limited experience is the opposite. > My router has stateful iptables (or ipchains?) and is pretty much as > configurable as a Linux setup, with the added advantage that hostile traffic > never gets to a full OS, where it may do more harm. Many of them also support > UPnP, so windows users can use IM video if they must.
Yes, I can elaborate. I have a Zyxel router here that has features much the same as what you described, however I am still unable to match the flexibility of a firewall running iptables/shorewall to the point where I can route incoming traffic to a specific port range on a specific local IP within the local lan. I can route "a" port but not a "range" of ports; very annoying. I spent a nearly a week going over the capabilities of the router appliance trying to find a fix and there wasn't one even when you went to the command line of the box. Also you must realize that the router appliance has a "full OS" of it's own, which in many cases is in fact Linux, but unadvertised as such. Firewalls running MDK/Shorewall are more configurable, flexible, and just as secure as a router appliance when set up correctly. In my case, even more secure since the Zyxel was responding to ICMP requests before I turned it into a bridge; therefore it was somewhat vulnerable to ICMP DoS attacks. As far as packet filtering/mangling, there is no match for having an MDK firewall box. As a general purpose solution, you thus have a vast universe of scripts and utilities to choose from in order to enhance firewall functionality. You cannot download scripts or utilities to your router appliance; you cannot upgrade your appliance's OS except at the behest of the manufacturer; you are frozen in the crystalline matrix that the appliance manufacturer put you in. That's fine for people that don't care; however if you are seeking flexibility, knowledge, and greater security while not minding a minimal investment of time, an MDK firewall box is infinitely better. > > > Hardware routers are generally for Mac users or non-tech types. That's > > fine, but if you are looking for knowledge, a router appliance is not > > going to get you there; in fact I recommend against it. > > Even if one is looking for knowledge, there is plenty of stuff to learn in > Linux without having to learn a safe level of capability with iptables. This > is one area in which a little knowledge is a very dangerous thing. A > dedicated router simplifies the iptables setup with connection sharing, > because the router can do the filtering and there is no extra work to share > the connection - all machines are equal. Whereas using the Linux box > complicates the iptables configuration. > > IMO, the best configuration has two rules: everything out, nothing in. (Most > of the hostile outgoing traffic is going to be SMTP or HTTP anyway.) Adding > connection sharing to these rules makes them a lot more complex, and every > rule added has a chance of being wrong. You should configure a box of your own before you make statements like this. Like I already said, Shorewall is a requisite of connection sharing. Install the MDK secure kernel in conjunction with a 2 nic firewall box and connection sharing, scan it, and you will see what I mean. Right now I can't even ssh into the firewall box from the local lan, much less the internet cloud; physical access is the only option I've got for shelling. And that's with me in the hosts.allow. I had many more ports open with the Zyxel in router mode than I have right now. I know because I've taken great pains to compare the two and had a cracker friend attack the MDK box on purpose. LX -- ����������������������������������������������� Linux Mandrake 9.1 Kernel 2.4.21-0.13mdk "Lets face it if winblowz wasn't full of holes then it would probably look like Linux" -- Aron Smith, Mandrake OT mailing list *Catch Star Trek Enterprise, Wednesdays on UPN* ������������������������������������������������
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
