[thelist] Hosting at Home
Robert Gormley
robert at pennyonthesidewalk.com
Fri Nov 25 01:44:49 CST 2005
Sorry, but I have to disagree with this. If you don't want a firewall,
that's one thing, but to say it's not necessary with a *ix is quite
inaccurate.
If there is an exploit that directly attacks the TCP/IP stack of your
system, then even the most complete iptables/apf/bfd setup is going to
be useless if the stack can be buffer overflowed.
Granted you are in a lot of trouble anyway if this happens to a box
serving as a dedicated firewall, but you might still be able to preserve
the security of your machines inside the firewall.
The firewall should be utterly untrusted by your internal network. It's
just a thoroughfare for traffic - the last thing you want is someone to
exploit your firewall and be able to painlessly ssh into your webserver.
Rob
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Shawn K. Quinn
Sent: Thursday, 24 November 2005 5:35 AM
To: thelist at lists.evolt.org; hershelr at netvision.net.il
Subject: Re: [thelist] Hosting at Home
A firewall is not strictly necessary with a properly secured GNU/Linux
or BSD-derived system, and with OpenBSD would be outright redundant. For
my firewall, in fact, I use OpenBSD and it runs rather well given that
it's a Pentium 100 with a hard drive that is starting to flake out. (I'm
hoping to replace it with a Soekris net4801 but that's another story.)
More information about the thelist
mailing list