[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: azrues and selinux



I think he was just saying that being behind a NAT router was
sufficient enough.  Which, for the most part, is true.  Most home
users don't need a robust, stateful firewall if they're behind NAT. 
Your only real concern at that point is spoofing, and then security
flaws in the router itself.  While NAT isn't a firewall, it does offer
some level of security, even if it is partially from obscurity.

If one starts forwarding ports, that can change things...

Koree

On 2/23/06, Bryan J. Smith <b.j.smith@ieee.org> wrote:
> Casey Boone <caseyboone@gmail.com> wrote:
> > if you have a dlink router in front of your linux box, turn the
> > linux firewall off as the dlink will be a good enough firewall
> > for your purposes
>
> Er, um, I don't know if I can agree with that statement.  It really
> depends what you mean by "firewall."
>
> I like "firewalls" that are at least basic layer-3/4 "security
> appliances."  Basic, stateful packet filtering (SPF), Network Address
> Translation (NAT) with Port Address Translation (PAT) for Source and
> Destination changes (aka SNAT and DNAT), logging and basic Intrusion
> Detection Services (IDS).  You don't really get those out of a SOHO
> 'Ritter.
>
> But yes, to focus just on NAT+PAT, using two NAT+PAT devices -- one
> after another, is not ideal.  You should only use 1 NAT+PAT device on
> a LAN/WAN per Internet gateway.
>
>
> --
> Bryan J. Smith     Professional, Technical Annoyance
> b.j.smith@ieee.org      http://thebs413.blogspot.com
> ----------------------------------------------------
> *** Speed doesn't kill, difference in speed does ***
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>
>

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.