Firewalls for home networks, is separate justified?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Firewalls for home networks, is separate justified?
Ive been reading quite a lot of posts around here concerning firewalls, and the generally accepted practice is to use some old ancient 486 box as a separate firewall.
I can understand that this is important for a large network, but Ive only got 2 machines at home, and Im currently trying to weight in the benefits vs power consumption.
Heres what I have so far.
I have a firewall/router/nat box running FreeBSD. Very hardened and secure, headless, running nothing but packet filtering neccessities. Its attached to an always on broadband connection.
It serves net access to two workstations, a windows xp system that is in all respects the center of attention, as it has the big hard drive and all of my personal files. Its sharing the root of the entire c drive with the brand new gentoo system that I just set up. Thus, the only thing on the linux drive is the OS itself, no personal files.
My electric bill is terrible, and I am wondering if using the separate firewall box is neccessary. Is it safe to use my gentoo linux workstation as the gateway to my home network? I dont plan on running any external severs, as my ISP gives my apartment a set of some 200 10.0.0.0 class ip's and I cant access my home pc on the go anyways. But I do plan on using the gentoo machine as a desktop system, running X, multimedia apps, etc. Could these typical desktop problems pose a vulnerability?
I understand that running services on a firewall box could pose a risk to the entire internal lan if theres a security hole. But since any services I run will be available only on the internal interface, would there still be a problem?
Although its not just the power consumption. Its also the system maintenance, the space requirement, etc....
It would be much easier to maintain one less system, and I can certainly use the HDD somewhere else. Id rather not make the switch though unless I am damn sure I can trust the same level of security with my workstation.
well - software firewalls are alwaise circumventable.....
even if the servaces are registered to onlythe one 'green' interface, they still represend extrra processes which ccould _possibally_ be compromised....
as an example.. if somone manages to get r00t access to my firewakll... congradulations... you have a 500 mhz athlon with no files and only passing refrence to hte other secure systems on the network...
even if they compromise the firewall.. it would only take me an hour or so to re-install the os and get it running again...
if your desktiop machene is runnning as the firewall.. if they get ccess to it, they get acces to all your material aswell...
(yeah im overaly paranoid.... everyone needs a hobby :P)
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
I agree with crm, best practices say you don't run your network firewall on a machine that contains data (or as the case may be, is mounting shared data on another machine--actually, that's worse).
If you absolutely must switch off the dedicated hardware because of electric bills, then make very, very sure that your firewall rules are tight. Make sure it's impossible to spoof a trsuted address on the external interface; make sure you're properly handling fragmented packets; make sure external packets can't be forwarded to the loopback adaptor; make sure no services at all get bound to the external interface; don't allow X to listen for TCP/IP connections, etc... Most important, make sure you follow security advisories very closely and always install and apply security fixes immediately, even when it means rebooting the machine.
though your linux box is safe fronm most attacks.. if you run any MS product you are puting yourself at quite conciderable risk...
even if all your files are stored in ofline linux parisions... any person in your system with malishous intent can simply run fdisk to end your computers current incarnation.
do you trust all 200 people in your appartment to take security as seriosuly as you?
even one compromised system behind NAT or a firewall opens the entire network to intrusion...
id sooner trust 2 computers then 198
Distribution: FreeBSD,Debian, RH, ok well most of em...
with the cost of embedded device dropping into the $150 to $200 mark you could consider that route. Cheaper on power, no fans and a dedicated life.
As for power bills, I dont see them since I dont do the bills around the house. Thats probably a good idea since my desktop is a dual xeon on all the time, then there is the 2 servers.....the kids PC.....what a waste of power I am!
I agree with the others. But I am not sure how one extra CPU on all the time could hurt. Its the only one that gona be on all the time anyways. Go get you a 486x or DX if you like and install smoothwall 2.0
From what I have read your other computers are not up all the time so there is one CPU drawing power.
I have a smoothie,server with dual P3's, my personal box, my sisters box, my laptop,dads laptop,mom computer,linksys wirless router,blender,microwave,Air conditioning,Heat,Water removal pump for when the basment used to flood. (water + server envorment =problems)
I dont notice much power consuption. The smoothie and the server are up 24x7
I think its time to go yardsaleing and get you an old computer.