[thelist] Hosting at Home

Robert Gormley robert at pennyonthesidewalk.com
Fri Nov 25 01:44:49 CST 2005


Sorry, but I have to disagree with this. If you don't want a firewall,
that's one thing, but to say it's not necessary with a *ix is quite
inaccurate.

If there is an exploit that directly attacks the TCP/IP stack of your
system, then even the most complete iptables/apf/bfd setup is going to
be useless if the stack can be buffer overflowed.

Granted you are in a lot of trouble anyway if this happens to a box
serving as a dedicated firewall, but you might still be able to preserve
the security of your machines inside the firewall.

The firewall should be utterly untrusted by your internal network. It's
just a thoroughfare for traffic - the last thing you want is someone to
exploit your firewall and be able to painlessly ssh into your webserver.

Rob

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Shawn K. Quinn
Sent: Thursday, 24 November 2005 5:35 AM
To: thelist at lists.evolt.org; hershelr at netvision.net.il
Subject: Re: [thelist] Hosting at Home

A firewall is not strictly necessary with a properly secured GNU/Linux
or BSD-derived system, and with OpenBSD would be outright redundant. For
my firewall, in fact, I use OpenBSD and it runs rather well given that
it's a Pentium 100 with a hard drive that is starting to flake out. (I'm
hoping to replace it with a Soekris net4801 but that's another story.)




 






More information about the thelist mailing list