[ale] recommendations fora..... standalone Linux security firewall...

Shane McKinley shane at hemc.coop
Wed Nov 5 13:51:40 EST 2008 

To have a firewall with one interface = broadcast traffic congestion +
insecure + administrative nightmare.

You would want this to happen:

http://en.wikipedia.org/wiki/Broadcast_radiation

Shane 

-----Original Message-----
From: JK [mailto:jknapka at kneuro.net] 
Sent: Wednesday, November 05, 2008 1:19 PM
To: ale at ale.org
Subject: Re: [ale] recommendations fora..... standalone Linux security
firewall...

Geoffrey wrote:
> Jim Lynch wrote:
>> Geoffrey wrote:
>>> Courtney Thomas wrote:
>>>   
>>>> Greetings !
>>>>
>>>> I want to use a standalone Linux box, possibly running from a CD 
>>>> and through which all must pass, at least from the internet, that 
>>>> will be a firewall for my home LAN. But if running from a CD gains 
>>>> nothing, forget it. I have several older idle boxes if they'd 
>>>> suffice. I can also go wired or wireless, and am receptive to any
setup.
>>>>
>>>> What recommendation(s) do you have for such a box, please ?
>>>>     
>>> Smoothwall
>>>
>>>   
>> Just curious, do you have to have a system with two NICs to run a 
>> firewall? From a security standpoint, it make sense but is it a
requirement?
> 
> With smoothwall you do.  I'm not sure how you would implement a 
> firewall with one, if that's what you're trying to ask.  Basically, 
> the firewall is taking input from somewhere and processing it out
another.


And while you certainly *could* do this with a single interface (by
aliasing eth0 with multiple IPs), there would be little point, since
anything that talked via the firewall could just as easily talk directly
to the boxes "behind" the firewall -- they would physically be on the
same network segment.  And that traffic would be 100% sniffable, as
well, unless there were encryption in place on all the traffic
(logically) "behind" the firewall.

Hmm, I guess if the firewall were only to accept IPsec (or otherwise
encrypted) traffic to/from the "protected" addresses "behind" the
firewall, this could actually be a useful thing to do.

-- JK

--
I do not particularly want to go where the money is -
  it usually does not smell nice there. -- A. Stepanov
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale

More information about the Ale mailing list