Date: Sat, 17 Mar 2001 23:46:59 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Dave VanAuken" <dave@hawk-systems.com>, "freebsd-questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: FreeBSD Firewall vs. Black Ice Message-ID: <007b01c0af7f$9cf84e80$1401a8c0@tedm.placo.com> In-Reply-To: <DBEIKNMKGOBGNDHAAKGNGEMPEEAA.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
My only caution to using a Linksys is that it's remote manageability sucks. Yes, I know you can hit them on port 8080 but that's not the point. There's many instances where in managing large networks you have to telnet from router to router to router, because all of the routetables in the routers are hosed and you can't reach C from A, while you can reach C by going to A then hopping to B then hopping to C. I'd suggest that the minimum criteria for any of these sub-$100 routers is the ability to initiate a ping or a telnet session from the router. Webinterface configuration may be gee-whiz, but nothing takes the place of a good command-line that you can configure the router from. The last thing, of course is that the LinkSys only speaks static routes or RIP. Granted thats not much of an issue if your just using it as a border/gateway router, but many people prefer running OSPF internally, and it's very nice to have your gateway router have the ability to inject a default route into your OSPF network. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Dave VanAuken >Sent: Saturday, March 17, 2001 8:49 AM >To: freebsd-questions >Subject: RE: FreeBSD Firewall vs. Black Ice > > >While I don't agree with all your points (I have yet to have a PC that >was properly assembled have cards become unseated or cables >disconnected)... nut another point is space. > >If I were to choose a cdROm size object, or an old steel P100 case >(big briefcase size?), it is a no brainer given neatness and wise use >of space. I am not concerned about "being cool and having a software >based router" since most uses barely scratch the surface of what a BSD >based solution would be capable of. > >A wise use of FreeBSD vs a hardware based firewall solution is to have >the box performing additional tasks... then I could justify the box. > >BTW, the power draw on the linsys router is probably that of a 60W >lightbulb... I guarentee that the P100 case and its 230? W power >supply is drawing 2-3 times that amount... thus you are paying the >money sooner or later, just financing it over yur electric bill. > >Just some thoughts. > >Dave > >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of richard >childers >Sent: Saturday, March 17, 2001 10:23 AM >To: Andrew Hesford >Cc: bcohen@bpecreative.com; freebsd-questions >Subject: Re: FreeBSD Firewall vs. Black Ice > > >Summary for the impatient: moving parts are bad. > > >"I always have to laugh, because it's $160-180, and it's probably not >too >configurable." > > >I do not believe that there is any basis for considering a PC more >reliable >than a router. > >PCs generally have removable parts. This is good, because you can >replace >them; but it is bad, because they can move about and become >disconnected; the >interconnections between the components are at risk. And we all know >how >often a mysterious problem has been resolved by reseating the boards. > >It is generally a rule of thumb amongst mechanical engineers that >there is a >direct proportion between the number of moving parts in a given device >and >the probability that it will cease working as a result of these moving >parts. > >In the case of a PC running PicoBSD, I would expect that the floppy >would be >the first to go - regardless of whether PicoBSD reads the floppy after >bootup, repeatedly, or only reads the floppy once, and loads itself >into >memory. > >I haven't played with PicoBSD so I don't know if it has the capacity >to log >data to a hard drive but if it does that's your second probable point >of >failure. How many messages have you read over the past week from >people whose >drives were making noise? I count two or three. > >I encourage folks to secure their perimeters with multiple devices, >which >operate upon network traffic sequentially (IE, packets reach box B >only by >passing through box A). > >I would never encourage people to confuse potentially useful "choke >point" >hardware with the firewall itself; those whom bother to read the >previous >message from me on this thread, in full, will see that I never said >anything >else. > >('The Screensavers'. What is this? The made-for-TV action drama based >on the >fish tank? :-) > > >-- richard > > > >Andrew Hesford wrote: > >> I watch "The Screensavers" on TechTV quite often, and they always >> recommend the Linksys DSL/Cable Home Firewall. When I see this, I >always >> have to laugh, because it's $160-180, and it's probably not too >> configurable (lest the do-it-yourselfer, who doesn't know what he's >> doing, break it). >> >> My idea of an effective and cost-effective choke point is an old >P-100 >> with no hard drive or video, running PicoBSD from a single floppy. I >> configure it to keep-state on all connections originating inside my >> personal network, allow state-matching packets back in, and drop any >> other connection originating in the outside world except 22, 25 and >80, >> which are forwarded to my desktop. >> >> Not counting my time and the diskette, the whole machine cost me >$100, >> and I now have a spare hard disk and video card. The two NICs were >> cheap, $15 each, so we're talking $130, which is cheaper than the >> Linksys product, it is more configurable, and I'll bet more >reliable. >> >> On Thu, Mar 15, 2001 at 06:15:53AM -0800, richard childers wrote: >> > I'm not saying that this should replace the idea of a UNIX-based >> > firewall but it is an excellent >> > and cost-effective choke point, behind which a firewall can be >placed, >> > while - at least with >> > the RT314 - you still have the ability to sample traffic more >directly, >> > if you care to, via one of >> > the additional ports. >> -- >> Andrew Hesford >> ajh3@chmod.ath.cx > >-- >Richard A. Childers >Senor UNIX Administrator >fscked@pacbell.net (email) >415.664.6291 (voice/msgs) > ># Providing administrative expertise (not 'damage control') since >1986. ># PGP fingerprint: 7EFF 164A E878 7B04 8E9F 32B6 72C2 D8A2 582C 4AFA > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007b01c0af7f$9cf84e80$1401a8c0>