Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-02-2014, 11:47 PM
|
#1
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Rep:
|
internet firewall - difference between iptables on router & itpables on local machine
say i have a standard iptables firewall setup on a router - DROP all incoming INPUT/FORWARD, allow in related/established connections, internal LAN interface & specific other ones if necessary. if i were to duplicate this setup on a standalone machine & connect it to the internet directly, is there any difference in the level security provided by iptables? e.g., a system with 1 ethernet connection with default DROP policies.
i was debating with someone about this, who said that it was always a bad idea to connect any machine directly to the internet, no matter how good the firewall. i was saying that, with iptables, you're using the same exact firewall whether it's on a Linux router or on a Linux machine standalone.
|
|
|
05-03-2014, 05:38 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
The difference between a router and an end point is that a router is a single purpose device: it just routes traffic. This means that you can use a router to, for example, protect end points by regulating (limiting, scrubbing, denying) traffic. In case of say a DoS attack this wouldn't burden the end point with spending CPU cycles on what traffic to accept or drop next to actually providing services but have an edge router bear the full brunt. That's a good thing performance-wise. Also having a router in front of end points allows removes the risk of an end points host-based firewall as a single point of failure. That said, given a similar Linux router and a Linux end point, the firewall itself on each device can be the same functionality and security-wise.
|
|
|
05-03-2014, 11:19 AM
|
#3
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
The difference between a router and an end point is that a router is a single purpose device: it just routes traffic. This means that you can use a router to, for example, protect end points by regulating (limiting, scrubbing, denying) traffic. In case of say a DoS attack this wouldn't burden the end point with spending CPU cycles on what traffic to accept or drop next to actually providing services but have an edge router bear the full brunt. That's a good thing performance-wise. Also having a router in front of end points allows removes the risk of an end points host-based firewall as a single point of failure. That said, given a similar Linux router and a Linux end point, the firewall itself on each device can be the same functionality and security-wise.
|
thanks. makes sense that a DoS occurring at a router would leave the endpoint machines unaffected CPU-wise, but i would think you would end up with the same effect; the host would lose internet access either way, whether it was because its router was being overloaded, or the host itself was being overloaded.
|
|
|
All times are GMT -5. The time now is 02:18 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|