[plug] Setting up a new firewall

Hennie Strydom hennie.strydom at telkomsa.net
Sat Jul 30 04:00:29 WST 2005


Hi
On Fri, 2005-07-29 at 12:03 +0800, nigel at dubh.id.au wrote:
> Hi all,
snip
> Should I put the web/mail/FTP servers on the firewall box or is it safer
> to have them on a dedicated machine behind the firewall. None do a great
> deal of traffic.

Running more applications on the firewall increases your risk of an
intrusion, since a flaw in any one of these applications might allow
such an intrusion.  Intrusions are worse if you have all your eggs in
one basket.

Why do you not use a distro like IPCOP or Smoothwall on an old PC as a
firewall?  I have IPCOP running on an old P1 200Mhz with 64MB RAM for
myself, and it does an excellent job as a firewall with squid, snort,
DNS, DHCP and VPN (with low usage on the VPN).  It can even run
Dansguardian, but this takes forever to start on this lack of processor,
after which it is fine.
In this way an exploit on your main server at least leaves your firewall
intact, with its logs out of reach of the intruder, and leaves you with
man in the middle capability to observe traffic between a potentially
exploited server and the internet.

Regards
  Hennie







More information about the plug mailing list