Date: Sat, 17 Mar 2001 18:04:28 -0800 From: richard childers <fscked@pacbell.net> To: Dave VanAuken <dave@hawk-systems.com> Cc: freebsd-questions <freebsd-questions@FreeBSD.ORG> Subject: Re: FreeBSD Firewall vs. Black Ice Message-ID: <3AB417AC.42A1D17C@pacbell.net> References: <DBEIKNMKGOBGNDHAAKGNGEMPEEAA.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yeah, I glossed over the space and power requirements; those count too.
-- richard
Dave VanAuken wrote:
> While I don't agree with all your points (I have yet to have a PC that
> was properly assembled have cards become unseated or cables
> disconnected)... nut another point is space.
>
> If I were to choose a cdROm size object, or an old steel P100 case
> (big briefcase size?), it is a no brainer given neatness and wise use
> of space. I am not concerned about "being cool and having a software
> based router" since most uses barely scratch the surface of what a BSD
> based solution would be capable of.
>
> A wise use of FreeBSD vs a hardware based firewall solution is to have
> the box performing additional tasks... then I could justify the box.
>
> BTW, the power draw on the linsys router is probably that of a 60W
> lightbulb... I guarentee that the P100 case and its 230? W power
> supply is drawing 2-3 times that amount... thus you are paying the
> money sooner or later, just financing it over yur electric bill.
>
> Just some thoughts.
>
> Dave
>
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of richard
> childers
> Sent: Saturday, March 17, 2001 10:23 AM
> To: Andrew Hesford
> Cc: bcohen@bpecreative.com; freebsd-questions
> Subject: Re: FreeBSD Firewall vs. Black Ice
>
> Summary for the impatient: moving parts are bad.
>
> "I always have to laugh, because it's $160-180, and it's probably not
> too
> configurable."
>
> I do not believe that there is any basis for considering a PC more
> reliable
> than a router.
>
> PCs generally have removable parts. This is good, because you can
> replace
> them; but it is bad, because they can move about and become
> disconnected; the
> interconnections between the components are at risk. And we all know
> how
> often a mysterious problem has been resolved by reseating the boards.
>
> It is generally a rule of thumb amongst mechanical engineers that
> there is a
> direct proportion between the number of moving parts in a given device
> and
> the probability that it will cease working as a result of these moving
> parts.
>
> In the case of a PC running PicoBSD, I would expect that the floppy
> would be
> the first to go - regardless of whether PicoBSD reads the floppy after
> bootup, repeatedly, or only reads the floppy once, and loads itself
> into
> memory.
>
> I haven't played with PicoBSD so I don't know if it has the capacity
> to log
> data to a hard drive but if it does that's your second probable point
> of
> failure. How many messages have you read over the past week from
> people whose
> drives were making noise? I count two or three.
>
> I encourage folks to secure their perimeters with multiple devices,
> which
> operate upon network traffic sequentially (IE, packets reach box B
> only by
> passing through box A).
>
> I would never encourage people to confuse potentially useful "choke
> point"
> hardware with the firewall itself; those whom bother to read the
> previous
> message from me on this thread, in full, will see that I never said
> anything
> else.
>
> ('The Screensavers'. What is this? The made-for-TV action drama based
> on the
> fish tank? :-)
>
> -- richard
>
> Andrew Hesford wrote:
>
> > I watch "The Screensavers" on TechTV quite often, and they always
> > recommend the Linksys DSL/Cable Home Firewall. When I see this, I
> always
> > have to laugh, because it's $160-180, and it's probably not too
> > configurable (lest the do-it-yourselfer, who doesn't know what he's
> > doing, break it).
> >
> > My idea of an effective and cost-effective choke point is an old
> P-100
> > with no hard drive or video, running PicoBSD from a single floppy. I
> > configure it to keep-state on all connections originating inside my
> > personal network, allow state-matching packets back in, and drop any
> > other connection originating in the outside world except 22, 25 and
> 80,
> > which are forwarded to my desktop.
> >
> > Not counting my time and the diskette, the whole machine cost me
> $100,
> > and I now have a spare hard disk and video card. The two NICs were
> > cheap, $15 each, so we're talking $130, which is cheaper than the
> > Linksys product, it is more configurable, and I'll bet more
> reliable.
> >
> > On Thu, Mar 15, 2001 at 06:15:53AM -0800, richard childers wrote:
> > > I'm not saying that this should replace the idea of a UNIX-based
> > > firewall but it is an excellent
> > > and cost-effective choke point, behind which a firewall can be
> placed,
> > > while - at least with
> > > the RT314 - you still have the ability to sample traffic more
> directly,
> > > if you care to, via one of
> > > the additional ports.
> > --
> > Andrew Hesford
> > ajh3@chmod.ath.cx
>
> --
> Richard A. Childers
> Senor UNIX Administrator
> fscked@pacbell.net (email)
> 415.664.6291 (voice/msgs)
>
> # Providing administrative expertise (not 'damage control') since
> 1986.
> # PGP fingerprint: 7EFF 164A E878 7B04 8E9F 32B6 72C2 D8A2 582C 4AFA
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--
Richard A. Childers
Senor UNIX Administrator
fscked@pacbell.net (email)
415.664.6291 (voice/msgs)
# Providing administrative expertise (not 'damage control') since 1986.
# PGP fingerprint: 7EFF 164A E878 7B04 8E9F 32B6 72C2 D8A2 582C 4AFA
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB417AC.42A1D17C>