Port Forwarding vs. Running Servers on Firewall
Joe Hill
joehill-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org
Thu Sep 4 19:18:02 UTC 2003
On Thu, 04 Sep 2003 14:55:32 -0400
CLIFFORD ILKAY <clifford_ilkay-biY6FKoJMRdBDgjK7y7TUQ at public.gmane.org> uttered:
> Is it just that if the firewall is compromised, the bad guy still
> has to crack the machine on the inside or is there something I am
> missing?
AFAIK, if the firewall is compromised, the "hacker" would still have to
get root access on the hosts to do any real damage, but it would still
be a Very Bad Thing.
It is *always* best to run *any* service behind a firewall that you want
protected, particularly a firewall that does inspection of incoming and
outgoing packets for things like spoofing, "man in the middle" attacks,
syn floods (duh), etc. and yes, the fewer services open on the firewall
the better.
The thing about a firewall is that the hosts behind it are (or are
supposed to be) invisible, since their IPs are private and cannot be
seen from the WAN, ie. 192.168.0.x.
You want a firewall that does port forwarding, network address
translation, and stateful traffic inspection (IIRC).
If you have a spare box around there are several easy sol'ns, like
ClarkConnect, BBIAgent (runs off a floppy) or Smoothwall.
HTH
--
JoeHill
Registered Linux user #282046
Homepage: nodex.sytes.net
++++++++++++++++++++++
Happiness is just an illusion, filled with sadness and confusion.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list