LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-02-2014, 11:47 PM   #1
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
internet firewall - difference between iptables on router & itpables on local machine


say i have a standard iptables firewall setup on a router - DROP all incoming INPUT/FORWARD, allow in related/established connections, internal LAN interface & specific other ones if necessary. if i were to duplicate this setup on a standalone machine & connect it to the internet directly, is there any difference in the level security provided by iptables? e.g., a system with 1 ethernet connection with default DROP policies.

i was debating with someone about this, who said that it was always a bad idea to connect any machine directly to the internet, no matter how good the firewall. i was saying that, with iptables, you're using the same exact firewall whether it's on a Linux router or on a Linux machine standalone.
 
Old 05-03-2014, 05:38 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
The difference between a router and an end point is that a router is a single purpose device: it just routes traffic. This means that you can use a router to, for example, protect end points by regulating (limiting, scrubbing, denying) traffic. In case of say a DoS attack this wouldn't burden the end point with spending CPU cycles on what traffic to accept or drop next to actually providing services but have an edge router bear the full brunt. That's a good thing performance-wise. Also having a router in front of end points allows removes the risk of an end points host-based firewall as a single point of failure. That said, given a similar Linux router and a Linux end point, the firewall itself on each device can be the same functionality and security-wise.
 
Old 05-03-2014, 11:19 AM   #3
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
The difference between a router and an end point is that a router is a single purpose device: it just routes traffic. This means that you can use a router to, for example, protect end points by regulating (limiting, scrubbing, denying) traffic. In case of say a DoS attack this wouldn't burden the end point with spending CPU cycles on what traffic to accept or drop next to actually providing services but have an edge router bear the full brunt. That's a good thing performance-wise. Also having a router in front of end points allows removes the risk of an end points host-based firewall as a single point of failure. That said, given a similar Linux router and a Linux end point, the firewall itself on each device can be the same functionality and security-wise.
thanks. makes sense that a DoS occurring at a router would leave the endpoint machines unaffected CPU-wise, but i would think you would end up with the same effect; the host would lose internet access either way, whether it was because its router was being overloaded, or the host itself was being overloaded.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the difference between rc.firewall and iptables ? M$ISBS Slackware 3 01-19-2011 11:19 AM
CentoOS router/firewall prob - local network works but router can't access Internet elementalvoid Linux - Networking 6 12-12-2006 03:39 PM
using a router with firewall, local firewall waste? Michael_aust Linux - General 1 03-26-2006 08:02 AM
router/firewall can't use local network zoffmann Linux - Networking 13 07-02-2005 01:53 PM
IPTABLES with SENDMAIL on local machine bradb21 Linux - Networking 5 06-03-2005 11:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration