On Monday 15 Dec 2003 3:35 am, Lyvim Xaphir wrote: > Yes, I can elaborate. I have a Zyxel router here that has features much > the same as what you described, however I am still unable to match the > flexibility of a firewall running iptables/shorewall to the point where > I can route incoming traffic to a specific port range on a specific > local IP within the local lan. I can route "a" port but not a "range" > of ports; very annoying. I spent a nearly a week going over the > capabilities of the router appliance trying to find a fix and there > wasn't one even when you went to the command line of the box. Also you > must realize that the router appliance has a "full OS" of it's own, > which in many cases is in fact Linux, but unadvertised as such.
You have my condolencies. My place of work had a Zyxel, and it was a pig to administer. My firewall has the same limitation. Not a problem for me, although it could be. There are routers out there that can route ranges though. Yes it probably does have an OS, but pared down to the bare essentials and built by professionals, along which road you are in advance of me. > Firewalls running MDK/Shorewall are more configurable, flexible, and > just as secure as a router appliance when set up correctly. In my case, > even more secure since the Zyxel was responding to ICMP requests before > I turned it into a bridge; therefore it was somewhat vulnerable to ICMP > DoS attacks. Mine does filter ICMP, if I tell it to, and I have. > > As far as packet filtering/mangling, there is no match for having an MDK > firewall box. As a general purpose solution, you thus have a vast > universe of scripts and utilities to choose from in order to enhance > firewall functionality. You cannot download scripts or utilities to > your router appliance; you cannot upgrade your appliance's OS except at > the behest of the manufacturer; you are frozen in the crystalline matrix > that the appliance manufacturer put you in. That's fine for people that > don't care; however if you are seeking flexibility, knowledge, and > greater security while not minding a minimal investment of time, an MDK > firewall box is infinitely better. Agreed. But many or most people do not need that flexibility, which takes time to acquire, while their machine is vulnerable to attack. > > > Hardware routers are generally for Mac users or non-tech types. That's > > > fine, but if you are looking for knowledge, a router appliance is not > > > going to get you there; in fact I recommend against it. > > > > Even if one is looking for knowledge, there is plenty of stuff to learn > > in Linux without having to learn a safe level of capability with > > iptables. This is one area in which a little knowledge is a very > > dangerous thing. A dedicated router simplifies the iptables setup with > > connection sharing, because the router can do the filtering and there is > > no extra work to share the connection - all machines are equal. Whereas > > using the Linux box complicates the iptables configuration. > > > > IMO, the best configuration has two rules: everything out, nothing in. > > (Most of the hostile outgoing traffic is going to be SMTP or HTTP > > anyway.) Adding connection sharing to these rules makes them a lot more > > complex, and every rule added has a chance of being wrong. > > You should configure a box of your own before you make statements like > this. > Like I already said, Shorewall is a requisite of connection > sharing. Install the MDK secure kernel in conjunction with a 2 nic > firewall box and connection sharing, scan it, and you will see what I > mean. Right now I can't even ssh into the firewall box from the local > lan, much less the internet cloud; physical access is the only option > I've got for shelling. And that's with me in the hosts.allow. If it is as simple as checking a box then fine. But having a dedicated Linux box is more expensive than a dedicated router box, (and harder for the SO to accept.) My box is just as tight, using a router, except that I can http or telnet in locally. That's not a big security hit. So are you saying that a dedicated firewall is still a good idea? I would agree with that. My point was that it was bad security to be running the firewall on your workstation. In many peoples cases that is the only reasonable alternative to a firewall router. A PC is more expensive, much bigger, and usually noisier, than a router. If I was living on my own I would certainly build such a beast, but as it is I would rather win other battles ;-) > I had many more ports open with the Zyxel in router mode than I have > right now. I know because I've taken great pains to compare the two and > had a cracker friend attack the MDK box on purpose. I have checked mine with port scanners. The results were boring. -- Richard Urwin
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
