mess-mate wrote: >i wonder if there is any need to install shorewall on a machine >located in the dmz zone of shorewaal. ( 3 interfaces example)
Personally I automatically install Shorewall on each system I set up - it just doesn't take long to set up and it's an extra level of protection. Our main firewall isn't a linux box, and the same applies to most of our clients, so that makes two different layers of protection. Don't forget that someone may compromise your main firewall*, you may accidentally allow more traffic than you planned, you may have someone inside the network 'have a go', someone may compromise another server in the DMZ and use that as a base for a further advance, ... Point is, ideally every system should have it's own security that can stand alone as far as is practical. Then you can have security at the perimeter of the network. There is a school of thought that says these two layers should be different so if there is a flaw or compromise in one then the other will still hold. It's a bit like having a gate at the end of the drive AND a lock on the garage door AND locking the car when it's in the garage - how many people do you know that never lock the car doors when it's in the garage ? * You DO have different passwords on different systems don't you ? ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
