I agree with Andrew's reasons for using LEAF. It has been my perimeter firewall for many years. However, by far, my preferred network architecture involves a perimeter firewall as a "standalone" box that does only that "first line of defense" job. I put some value on being able to Power-Cycle my perimeter firewall without overly disturbing the internal network. IMHO, that simplicity makes for more robust security. If I can't do the job that way, it makes me re-analyze my plan and see what I want to do "wrong". "Fancy" things, like poking holes through a perimeter firewall, may not always be wrong, but they certainly suggest a different architecture should be examined. Putting any sort of "development tools" on a perimeter firewall is always wrong, IMNSHO. So far, so good, but, yes, I concede there are more complex architectures that might be relevant in advanced cases.
I know many places regularly junk old hardware, and being forced to use newer stuff can lead to the sort of hardware support problems Andrew has had. Personally, I put a value on the sort of simplicity to be found in the old hardware. "Uncomplicated" is a good thing. The requirement I have for saving an old box that can be "repurposed" to, say, a LEAF perimeter firewall is reliability, "it just works". At this point in time, a suitable old box can still be found if one looks for it. And in at least one case, I've donated an old classic Pentium box to the cause. It is behind my perimeter firewall where I accept a bit more complexity. For example, this workstation's iptables has something like 140 rules, more or less--it's very strict. One day my position may become untenable, but not yet I think. Until then I'll prefer the tried and true. IMHO, if my LEAF perimeter firewall still presents a strong, "impenetrable" first line of defense sitting there alone, it's just fine as it is. -- Paul Rogers paulgrog...@fastmail.fm http://www.xprt.net/~pgrogers/ Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://www.fastmail.fm - Choose from over 50 domains or use your own ------------------------------------------------------------------------------ _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
