LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-17-2004, 11:34 AM   #1
setiDude
LQ Newbie
 
Registered: Oct 2004
Distribution: Gentoo, Debian, FreeBSD
Posts: 9

Rep: Reputation: 0
Question Firewalls for home networks, is separate justified?


Ive been reading quite a lot of posts around here concerning firewalls, and the generally accepted practice is to use some old ancient 486 box as a separate firewall.

I can understand that this is important for a large network, but Ive only got 2 machines at home, and Im currently trying to weight in the benefits vs power consumption.

Heres what I have so far.

I have a firewall/router/nat box running FreeBSD. Very hardened and secure, headless, running nothing but packet filtering neccessities. Its attached to an always on broadband connection.

It serves net access to two workstations, a windows xp system that is in all respects the center of attention, as it has the big hard drive and all of my personal files. Its sharing the root of the entire c drive with the brand new gentoo system that I just set up. Thus, the only thing on the linux drive is the OS itself, no personal files.

My electric bill is terrible, and I am wondering if using the separate firewall box is neccessary. Is it safe to use my gentoo linux workstation as the gateway to my home network? I dont plan on running any external severs, as my ISP gives my apartment a set of some 200 10.0.0.0 class ip's and I cant access my home pc on the go anyways. But I do plan on using the gentoo machine as a desktop system, running X, multimedia apps, etc. Could these typical desktop problems pose a vulnerability?

I understand that running services on a firewall box could pose a risk to the entire internal lan if theres a security hole. But since any services I run will be available only on the internal interface, would there still be a problem?

 
Old 10-17-2004, 11:44 AM   #2
crm
Member
 
Registered: Apr 2004
Location: leeds - UK
Distribution: Gentoo Stage 1 on Riser FS 4
Posts: 204

Rep: Reputation: 30
i dont understand how the power consumption cvoul;d be tht bad... i keep a 6 computer network with at least 3 computers -alwaise on- with neglidigable draw on the power....

have you stripped all non essential hardware from the firewal/bsd box... eg.. monioter.. cd drives.. soundcards.... etc.
 
Old 10-17-2004, 11:56 AM   #3
setiDude
LQ Newbie
 
Registered: Oct 2004
Distribution: Gentoo, Debian, FreeBSD
Posts: 9

Original Poster
Rep: Reputation: 0
Indeed I have

Although its not just the power consumption. Its also the system maintenance, the space requirement, etc....

It would be much easier to maintain one less system, and I can certainly use the HDD somewhere else. Id rather not make the switch though unless I am damn sure I can trust the same level of security with my workstation.
 
Old 10-17-2004, 12:16 PM   #4
crm
Member
 
Registered: Apr 2004
Location: leeds - UK
Distribution: Gentoo Stage 1 on Riser FS 4
Posts: 204

Rep: Reputation: 30
well - software firewalls are alwaise circumventable.....
even if the servaces are registered to onlythe one 'green' interface, they still represend extrra processes which ccould _possibally_ be compromised....

as an example.. if somone manages to get r00t access to my firewakll... congradulations... you have a 500 mhz athlon with no files and only passing refrence to hte other secure systems on the network...
even if they compromise the firewall.. it would only take me an hour or so to re-install the os and get it running again...

if your desktiop machene is runnning as the firewall.. if they get ccess to it, they get acces to all your material aswell...

(yeah im overaly paranoid.... everyone needs a hobby :P)
 
Old 10-17-2004, 03:16 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
I agree with crm, best practices say you don't run your network firewall on a machine that contains data (or as the case may be, is mounting shared data on another machine--actually, that's worse).

If you absolutely must switch off the dedicated hardware because of electric bills, then make very, very sure that your firewall rules are tight. Make sure it's impossible to spoof a trsuted address on the external interface; make sure you're properly handling fragmented packets; make sure external packets can't be forwarded to the loopback adaptor; make sure no services at all get bound to the external interface; don't allow X to listen for TCP/IP connections, etc... Most important, make sure you follow security advisories very closely and always install and apply security fixes immediately, even when it means rebooting the machine.
 
Old 10-18-2004, 12:25 PM   #6
setiDude
LQ Newbie
 
Registered: Oct 2004
Distribution: Gentoo, Debian, FreeBSD
Posts: 9

Original Poster
Rep: Reputation: 0
How vulnerable are such attacks in a residential setting such as mine? My external ip address is privately routable, and theres some 200 people in my apartment that are on the same lan.

Is it possible for people outside the apartments network to hack inward? Or perhaps make an ssh connection?
 
Old 10-18-2004, 12:59 PM   #7
crm
Member
 
Registered: Apr 2004
Location: leeds - UK
Distribution: Gentoo Stage 1 on Riser FS 4
Posts: 204

Rep: Reputation: 30
frinkley yes....
though your linux box is safe fronm most attacks.. if you run any MS product you are puting yourself at quite conciderable risk...
even if all your files are stored in ofline linux parisions... any person in your system with malishous intent can simply run fdisk to end your computers current incarnation.

do you trust all 200 people in your appartment to take security as seriosuly as you?
even one compromised system behind NAT or a firewall opens the entire network to intrusion...
..
id sooner trust 2 computers then 198
 
Old 10-18-2004, 02:12 PM   #8
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
with the cost of embedded device dropping into the $150 to $200 mark you could consider that route. Cheaper on power, no fans and a dedicated life.

As for power bills, I dont see them since I dont do the bills around the house. Thats probably a good idea since my desktop is a dual xeon on all the time, then there is the 2 servers.....the kids PC.....what a waste of power I am!
 
Old 10-18-2004, 02:43 PM   #9
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Rep: Reputation: 30
I agree with the others. But I am not sure how one extra CPU on all the time could hurt. Its the only one that gona be on all the time anyways. Go get you a 486x or DX if you like and install smoothwall 2.0

From what I have read your other computers are not up all the time so there is one CPU drawing power.

I have a smoothie,server with dual P3's, my personal box, my sisters box, my laptop,dads laptop,mom computer,linksys wirless router,blender,microwave,Air conditioning,Heat,Water removal pump for when the basment used to flood. (water + server envorment =problems)
I dont notice much power consuption. The smoothie and the server are up 24x7

I think its time to go yardsaleing and get you an old computer.
 
Old 10-18-2004, 02:56 PM   #10
crm
Member
 
Registered: Apr 2004
Location: leeds - UK
Distribution: Gentoo Stage 1 on Riser FS 4
Posts: 204

Rep: Reputation: 30
i have 2 computers on 24/7 my desktop gentoo/server/thingie and the firewall...

my ibook is usually alwaise on standby...

my power bill is pritty nominal.... computers dont cost much to powerr.... moniters costa fortune... i swich minw off when im not looking at it...
 
Old 10-18-2004, 03:38 PM   #11
setiDude
LQ Newbie
 
Registered: Oct 2004
Distribution: Gentoo, Debian, FreeBSD
Posts: 9

Original Poster
Rep: Reputation: 0
I like the idea of using a floppy based firewall, but I rather enjoy the BSD security record.

Does anyone know if its possible to get open or freebsd to boot off of a disk? So if its compromised it can simply be rebooted?
 
Old 10-18-2004, 04:14 PM   #12
crm
Member
 
Registered: Apr 2004
Location: leeds - UK
Distribution: Gentoo Stage 1 on Riser FS 4
Posts: 204

Rep: Reputation: 30
now THAT id like to use....

a distrobution you install on 30 meg... and make floppys to order which boots a 'spawn' of the os dependent on the settings you pass to the emaster os....
 
Old 10-18-2004, 08:55 PM   #13
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
then you 2 are talking about m0n0wall

awesome!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
advice on home networks drisay Slackware 4 10-21-2004 11:40 AM
Does anyone here have a separate /root and /home partition? Kramer Linux - General 12 03-17-2004 05:52 AM
How can I access both /home directories on separate HHDS? estatik Mandriva 1 12-08-2003 12:23 PM
alignment justified in HTML nephilim Programming 1 10-31-2003 07:12 AM
Separate partions for /usr, /home,/root, and /swap hedburner Slackware 2 09-14-2003 11:55 AM


All times are GMT -5. The time now is 11:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration