What is Digg?24 Comments
- derkles, on 09/27/2008, -0/+24Linux is not a company, it's a kernel.
- podgey22, on 09/28/2008, -4/+19Don't put servers on your firewall! Servers should be behind the firewall.
(I'm not saying you shouldn't use this at all, just put it behind another firewall.) - bsmang, on 09/28/2008, -0/+8Linux makes for a great firewall and router. And server. And desktop. And laptop.
- syda, on 09/28/2008, -0/+3I'm about to turn my useless old laptop into the most expensive home router ever!
- TheGuruStud, on 09/28/2008, -0/+3No one said to do that. You can just use it for many things.
A linux firewall will blow away that overpriced ***** people call cisco and it's free. - TheGuruStud, on 09/28/2008, -0/+3Obviously for enterprise level traffic (and better security), hardware would definitely be preferable. But why would a small office, etc, pay such extravagant prices for something that does so little. Cisco will never get a dime from me. I won't even buy one off ebay. Their CLI can kiss my ass b/c some of the commands don't work when you need them b/c the IOS is bugged to hell.
- HonoredMule, on 09/28/2008, -0/+3Oh, and there's not much notable difference between running servers ON the firewall and BEHIND the firewall unless it's actually a difference between what is exposed/forwarded BY the firewall--save that if one service exposes a potential vulnerability to resource-based attacks and the firewall is unable or not configured to catch it, all services feel the grind. For example, a DDoS on your webservice might have a greater impact on network throughput for intranet machines browsing to the outside world.
But it's IPTables (the firewall built into the kernel) that gives you the tools and ability to protect against such attacks anyway, as well as broader network profiling, QoS, and packet queue control, if you know what you're doing. The greatest advantage in keeping your gateway/firewall on a dedicated machine is simply scalability and higher capacity by distributing the workload. If 'scalability' isn't a buzzword you need to concern yourself with, then this level of attention to security probably isn't a concern for you either. - HonoredMule, on 09/28/2008, -0/+3Apparently your peers think it preposterous that just maybe this distro is targeted at very small networks (i.e. home users and others who only /have/ one server and probably fewer than 5 desktops) and not high-security large-scale enterprise deployments. Also, telling people how not to run their networks and deriding them for not having at least 3 loaded rack-mount cabinets and a Big Complex Server Network is a great way to flex your sysadmin e-penis.
I'd recommend keeping your file server on a machine behind your firewall and separate/cut off from public-facing services if at all possible--after all, isn't the security and privacy of your possibly confidential data what's really important? But running things like Apache or IPSEC on your properly-firewalled and regularly backed up gateway is, for the average home or even small business network, about as dangerous as taking the stairs two at a time. You might end up doing a face plant some day, and that'll be a bad 24 hours for you. Or you can increase your power bill by $40 per month just to have a dedicated gateway and still get hacked because you misconfigured your firewall, or exposed your DNS server without fully understanding the security landmine that activates with or without firewall. - sodade, on 09/28/2008, -0/+3I didn't bury you because it is a valid question.
Read this article and you will understand:
http://en.wikipedia.org/wiki/Demilitarized_zone_(c ... - fritzek, on 09/28/2008, -0/+2OK. Can anyone who buried me give me a part of explanation?
- DestroyFascism, on 09/28/2008, -0/+2You mean the module?
- directrix13, on 09/28/2008, -0/+2@TheGuruStud:
Whether the software is implemented as hardware has nothing to do with security. - sipitung, on 09/28/2008, -0/+2fritzek, ideally you want minimum services running on the firewall, running servers/services on the firewall increase the risk/vulnerabilities
- bullox, on 09/30/2008, -0/+1pfsense - based on FreeBSD. Used it for years, solid as a rock. It can run embedded on a tiny solid state box (WRAP, etc) running off of a Compact Flash card, or the P4 box you've got. It will run like a champ on that P4.
- HonoredMule, on 09/28/2008, -0/+1@TheGuruStud: Why would you even be talking about Cisco hardware in the first place if you're thinking about home and small business networks? But obviously a linux firewall doesn't "blow away that overpriced *****" if it doesn't match it in capability and power. Saying you don't need that kind of capability is irrelevant, and just admitting that the two items being compared don't even run in the same league/target the same market.
- marksands07, on 09/28/2008, -0/+1We use SME at work too. I like SME.
- arcticblue, on 09/28/2008, -1/+2We use SME at work which is very similar to this. I hate it these all in one solutions. I can see it being very convenient for a very small business, but seriously, I wouldn't put too much faith in something like this. These systems don't scale. Where I work, we only use the email functionality of SME and it does not integrate with anything at all. Our active directory with over 180 accounts? Yep, we had to recreate each one on the mail server by hand as well as all the group assignments and forwarding rules. Of course, that means we have to maintain a list of usernames and passwords so we can keep the passwords in sync. Great idea, huh? That's not all! SME uses Qmail for it's mail processing...which is great except for the fact that qmail doesn't keep track of forwarded messages so some people end up with 10+ duplicates of the same email! This destroys what little bandwidth we have to our remote sites where all the users connect directly to our only "mail server". As soon as I can convince the boss, I'm throwing that POS away and moving to Ubuntu servers with postfix-ldap and courier-ldap. This will let me use Heartbeat for redundancy and also put local mail servers at each of our remote sites. Postfix is also smart enough not to duplicate messages like qmail does.
- bullox, on 09/30/2008, -0/+1You've got more than one NIC on your laptop? PCMCIA expansion maybe I guess.
- HonoredMule, on 09/28/2008, -1/+2From what I hear, the features like hardware-based VPN service on that overpriced ***** are pretty badass, if you need those sort of things.
- Darth_tater, on 09/28/2008, -0/+1IPCop
- mindracer, on 09/28/2008, -1/+1Hey this sounds interesting, I need a good firewall for work but budgets have been scarse lately. Can i use an old pentium 4 with a few network cards to get an even better firewall? Which distro or software do you recommend for a "better than cisco" solution? :)
- fritzek, on 09/28/2008, -7/+2Whats the difference?
- AllenFresno, on 09/27/2008, -33/+1The best firewall would be from another company not Linux itself
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is