[KLUG Members] smoothwall questions

[Tony Gettig]

Quoting Joe Baker <joebaker@dcresearch.com>:

> On Mon, 2003-08-04 at 20:35, Peter Buxton wrote:
> > On Mon, Aug 04, 2003 at 01:14:06PM +0200, Bert was only escaped
> >    alone to tell thee:
> > 
> > > I should do both. The most effective is to drop them in
> > > /etc/hosts.deny, you need a tcpwrapper running, although I have read
> > > an article lately that you should never run a wrapper on a firewall. I
> > > always used tcp-wrappers on my firewall.
> > 
> > Hmm. I think they say you shouldn't run a wrapper on a firewall because
> > your application shouldn't run on a firewall. If you need a proxy hole,
> > perhaps, if resources aren't a problem, you should try redirecting the
> > incoming connection to a second, internal proxy host.
> > 
> > Many of the tcpwrapper functions can and should be replaced by iptables
> > or the *BSD equivalent. The only thing I don't think you could easily
> > replace would be the PARANOID setting, where IP #'s and DNS names are
> > compared and matched.
> 
> I've heard people say over and over again not to run applications on the
> firewall and I think that's bunk.  I run IPTables scripts on the box 
> which shield my applications from anything that comes in my Internet
> Interfaces except related connections. It's amazing all the stuff I can
> load up the box with to support the needs of the network.

I can understand that you are trying to make good use of computing resources.
But it will only be good until some sharp cracker uses a zero-day exploit on
your box, at which point he/she owns it and has many more apps at their
disposal. All of those things you load up to support the needs of the network
will probably be quite handy to the intruder. 


-- 
Tony Gettig
Voiceovers, PGP key, and more at
http://gettig.net