Date: Sat, 17 Mar 2001 11:49:13 -0500 From: "Dave VanAuken" <dave@hawk-systems.com> To: "freebsd-questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: FreeBSD Firewall vs. Black Ice Message-ID: <DBEIKNMKGOBGNDHAAKGNGEMPEEAA.dave@hawk-systems.com> In-Reply-To: <3AB38160.EAC752EB@pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help
While I don't agree with all your points (I have yet to have a PC that
was properly assembled have cards become unseated or cables
disconnected)... nut another point is space.
If I were to choose a cdROm size object, or an old steel P100 case
(big briefcase size?), it is a no brainer given neatness and wise use
of space. I am not concerned about "being cool and having a software
based router" since most uses barely scratch the surface of what a BSD
based solution would be capable of.
A wise use of FreeBSD vs a hardware based firewall solution is to have
the box performing additional tasks... then I could justify the box.
BTW, the power draw on the linsys router is probably that of a 60W
lightbulb... I guarentee that the P100 case and its 230? W power
supply is drawing 2-3 times that amount... thus you are paying the
money sooner or later, just financing it over yur electric bill.
Just some thoughts.
Dave
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of richard
childers
Sent: Saturday, March 17, 2001 10:23 AM
To: Andrew Hesford
Cc: bcohen@bpecreative.com; freebsd-questions
Subject: Re: FreeBSD Firewall vs. Black Ice
Summary for the impatient: moving parts are bad.
"I always have to laugh, because it's $160-180, and it's probably not
too
configurable."
I do not believe that there is any basis for considering a PC more
reliable
than a router.
PCs generally have removable parts. This is good, because you can
replace
them; but it is bad, because they can move about and become
disconnected; the
interconnections between the components are at risk. And we all know
how
often a mysterious problem has been resolved by reseating the boards.
It is generally a rule of thumb amongst mechanical engineers that
there is a
direct proportion between the number of moving parts in a given device
and
the probability that it will cease working as a result of these moving
parts.
In the case of a PC running PicoBSD, I would expect that the floppy
would be
the first to go - regardless of whether PicoBSD reads the floppy after
bootup, repeatedly, or only reads the floppy once, and loads itself
into
memory.
I haven't played with PicoBSD so I don't know if it has the capacity
to log
data to a hard drive but if it does that's your second probable point
of
failure. How many messages have you read over the past week from
people whose
drives were making noise? I count two or three.
I encourage folks to secure their perimeters with multiple devices,
which
operate upon network traffic sequentially (IE, packets reach box B
only by
passing through box A).
I would never encourage people to confuse potentially useful "choke
point"
hardware with the firewall itself; those whom bother to read the
previous
message from me on this thread, in full, will see that I never said
anything
else.
('The Screensavers'. What is this? The made-for-TV action drama based
on the
fish tank? :-)
-- richard
Andrew Hesford wrote:
> I watch "The Screensavers" on TechTV quite often, and they always
> recommend the Linksys DSL/Cable Home Firewall. When I see this, I
always
> have to laugh, because it's $160-180, and it's probably not too
> configurable (lest the do-it-yourselfer, who doesn't know what he's
> doing, break it).
>
> My idea of an effective and cost-effective choke point is an old
P-100
> with no hard drive or video, running PicoBSD from a single floppy. I
> configure it to keep-state on all connections originating inside my
> personal network, allow state-matching packets back in, and drop any
> other connection originating in the outside world except 22, 25 and
80,
> which are forwarded to my desktop.
>
> Not counting my time and the diskette, the whole machine cost me
$100,
> and I now have a spare hard disk and video card. The two NICs were
> cheap, $15 each, so we're talking $130, which is cheaper than the
> Linksys product, it is more configurable, and I'll bet more
reliable.
>
> On Thu, Mar 15, 2001 at 06:15:53AM -0800, richard childers wrote:
> > I'm not saying that this should replace the idea of a UNIX-based
> > firewall but it is an excellent
> > and cost-effective choke point, behind which a firewall can be
placed,
> > while - at least with
> > the RT314 - you still have the ability to sample traffic more
directly,
> > if you care to, via one of
> > the additional ports.
> --
> Andrew Hesford
> ajh3@chmod.ath.cx
--
Richard A. Childers
Senor UNIX Administrator
fscked@pacbell.net (email)
415.664.6291 (voice/msgs)
# Providing administrative expertise (not 'damage control') since
1986.
# PGP fingerprint: 7EFF 164A E878 7B04 8E9F 32B6 72C2 D8A2 582C 4AFA
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNGEMPEEAA.dave>