From owner-freebsd-questions Sat Mar 17 8:39:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hawk-systems.com (hawk-systems.com [161.58.152.235]) by hub.freebsd.org (Postfix) with ESMTP id 94A0337B718 for ; Sat, 17 Mar 2001 08:39:11 -0800 (PST) (envelope-from dave@hawk-systems.com) Received: from server0 (cr1032856-a.pr1.on.wave.home.com [24.112.146.66]) by hawk-systems.com (8.8.8) id JAA56786 for ; Sat, 17 Mar 2001 09:38:53 -0700 (MST) From: "Dave VanAuken" To: "freebsd-questions" Subject: RE: FreeBSD Firewall vs. Black Ice Date: Sat, 17 Mar 2001 11:49:13 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <3AB38160.EAC752EB@pacbell.net> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG While I don't agree with all your points (I have yet to have a PC that was properly assembled have cards become unseated or cables disconnected)... nut another point is space. If I were to choose a cdROm size object, or an old steel P100 case (big briefcase size?), it is a no brainer given neatness and wise use of space. I am not concerned about "being cool and having a software based router" since most uses barely scratch the surface of what a BSD based solution would be capable of. A wise use of FreeBSD vs a hardware based firewall solution is to have the box performing additional tasks... then I could justify the box. BTW, the power draw on the linsys router is probably that of a 60W lightbulb... I guarentee that the P100 case and its 230? W power supply is drawing 2-3 times that amount... thus you are paying the money sooner or later, just financing it over yur electric bill. Just some thoughts. Dave -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of richard childers Sent: Saturday, March 17, 2001 10:23 AM To: Andrew Hesford Cc: bcohen@bpecreative.com; freebsd-questions Subject: Re: FreeBSD Firewall vs. Black Ice Summary for the impatient: moving parts are bad. "I always have to laugh, because it's $160-180, and it's probably not too configurable." I do not believe that there is any basis for considering a PC more reliable than a router. PCs generally have removable parts. This is good, because you can replace them; but it is bad, because they can move about and become disconnected; the interconnections between the components are at risk. And we all know how often a mysterious problem has been resolved by reseating the boards. It is generally a rule of thumb amongst mechanical engineers that there is a direct proportion between the number of moving parts in a given device and the probability that it will cease working as a result of these moving parts. In the case of a PC running PicoBSD, I would expect that the floppy would be the first to go - regardless of whether PicoBSD reads the floppy after bootup, repeatedly, or only reads the floppy once, and loads itself into memory. I haven't played with PicoBSD so I don't know if it has the capacity to log data to a hard drive but if it does that's your second probable point of failure. How many messages have you read over the past week from people whose drives were making noise? I count two or three. I encourage folks to secure their perimeters with multiple devices, which operate upon network traffic sequentially (IE, packets reach box B only by passing through box A). I would never encourage people to confuse potentially useful "choke point" hardware with the firewall itself; those whom bother to read the previous message from me on this thread, in full, will see that I never said anything else. ('The Screensavers'. What is this? The made-for-TV action drama based on the fish tank? :-) -- richard Andrew Hesford wrote: > I watch "The Screensavers" on TechTV quite often, and they always > recommend the Linksys DSL/Cable Home Firewall. When I see this, I always > have to laugh, because it's $160-180, and it's probably not too > configurable (lest the do-it-yourselfer, who doesn't know what he's > doing, break it). > > My idea of an effective and cost-effective choke point is an old P-100 > with no hard drive or video, running PicoBSD from a single floppy. I > configure it to keep-state on all connections originating inside my > personal network, allow state-matching packets back in, and drop any > other connection originating in the outside world except 22, 25 and 80, > which are forwarded to my desktop. > > Not counting my time and the diskette, the whole machine cost me $100, > and I now have a spare hard disk and video card. The two NICs were > cheap, $15 each, so we're talking $130, which is cheaper than the > Linksys product, it is more configurable, and I'll bet more reliable. > > On Thu, Mar 15, 2001 at 06:15:53AM -0800, richard childers wrote: > > I'm not saying that this should replace the idea of a UNIX-based > > firewall but it is an excellent > > and cost-effective choke point, behind which a firewall can be placed, > > while - at least with > > the RT314 - you still have the ability to sample traffic more directly, > > if you care to, via one of > > the additional ports. > -- > Andrew Hesford > ajh3@chmod.ath.cx -- Richard A. Childers Senor UNIX Administrator fscked@pacbell.net (email) 415.664.6291 (voice/msgs) # Providing administrative expertise (not 'damage control') since 1986. # PGP fingerprint: 7EFF 164A E878 7B04 8E9F 32B6 72C2 D8A2 582C 4AFA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message