[KLUG Members] smoothwall questions
Joe Baker
members@kalamazoolinux.org
05 Aug 2003 21:37:09 -0500
On Mon, 2003-08-04 at 20:35, Peter Buxton wrote:
> On Mon, Aug 04, 2003 at 01:14:06PM +0200, Bert was only escaped
> alone to tell thee:
>
> > I should do both. The most effective is to drop them in
> > /etc/hosts.deny, you need a tcpwrapper running, although I have read
> > an article lately that you should never run a wrapper on a firewall. I
> > always used tcp-wrappers on my firewall.
>
> Hmm. I think they say you shouldn't run a wrapper on a firewall because
> your application shouldn't run on a firewall. If you need a proxy hole,
> perhaps, if resources aren't a problem, you should try redirecting the
> incoming connection to a second, internal proxy host.
>
> Many of the tcpwrapper functions can and should be replaced by iptables
> or the *BSD equivalent. The only thing I don't think you could easily
> replace would be the PARANOID setting, where IP #'s and DNS names are
> compared and matched.
I've heard people say over and over again not to run applications on the
firewall and I think that's bunk. I run IPTables scripts on the box
which shield my applications from anything that comes in my Internet
Interfaces except related connections. It's amazing all the stuff I can
load up the box with to support the needs of the network.
-Joe Baker
President, Digital Communications Research, Inc.
Burlington, WI
http://www.dcresearch.com
414-788-8284