Simon Hobson <[EMAIL PROTECTED]> wrote: | mess-mate wrote: | | >i wonder if there is any need to install shorewall on a machine | >located in the dmz zone of shorewaal. ( 3 interfaces example) | | Personally I automatically install Shorewall on each system I set up | - it just doesn't take long to set up and it's an extra level of | protection. Our main firewall isn't a linux box, and the same applies | to most of our clients, so that makes two different layers of | protection. | | Don't forget that someone may compromise your main firewall*, you may | accidentally allow more traffic than you planned, you may have | someone inside the network 'have a go', someone may compromise | another server in the DMZ and use that as a base for a further | advance, ... | | Point is, ideally every system should have it's own security that can | stand alone as far as is practical. Then you can have security at the | perimeter of the network. There is a school of thought that says | these two layers should be different so if there is a flaw or | compromise in one then the other will still hold. It's a bit like | having a gate at the end of the drive AND a lock on the garage door | AND locking the car when it's in the garage - how many people do you | know that never lock the car doors when it's in the garage ? | | * You DO have different passwords on different systems don't you ? | | ------------------------------------------------------------------------- Thanks to all for your advice.
And i'll install shorewall on ALL machines. best regards mess-mate -- You could live a better life, if you had a better mind and a better body. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
