Russell L. Harris <rlhar...@broadcaster.org> wrote: > From the standpoint of protection of a LAN (two or three machines) > for a home or home office, how effective is a firmware-based > firewall/router in comparison with a software-based stand-alone > firewall/router? Is either significantly better than the other?
Firmware based will probably be on a lower-powered device - and therefore more energy friendly. You should be able to get one that is sufficiently sophisticated to handle pretty much all your SoHo needs. > I am thinking in terms of devoting an old computer (200 MHz Pentium) > to the task of firewall/router. Plenty sufficient. > Is there a good firewall application in Debian which provides a secure > default configuration? Or must I learn how to configure a firewall? I'm not aware of a firewall application that provides a default secure configuration. (That could be as harsh as "nothing in, nothing out", or a little more relaxed such as "nothing in, anything out". It depends on your requirements.) My preference is shorewall, but that's not GUI based and you do need to understand firewalls "enough" to make some sensible decisions. I've tried to use fwbuilder in the past but I couldn't get my head around how to make the GUI do what I wanted. The shorewall website has some pretty good worked examples for different scenarios. A really simple "nothing in, anything out" for a end-point workstation can be defined like this - # Erase the rules associated with the INPUT chain iptables -F INPUT # Allow in anything that is part of a known connection iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Put other ALLOW rules here # e.g. inbound to tcp port 80: iptables -A INPUT -p TCP --dport 80 # Reject anything else coming in via eth0 iptables -A INPUT -i eth0 -j REJECT But it gets more complicated if you're going to route from one interface to another - which is why a "default" ruleset isn't always one that's going to work. For starters, you need to define which interface is "external" and which one(s) are "internal". Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ekq049x72q....@news.roaima.co.uk