> Adam et al:
>
> > this is an easy way to get it UP and running ..but you still need to block off
> > ports..but you can do that later.....also is this for home or business?
> > If for business...check out www.watchguard.com they have a $3,500 linux based
> > firewall product "Firebox II" if you need to host email, ftp, etc...if not
> > they have a $350 Watchguard SOHO unit 10-user license and up to 50 users is $700
> > total...these prices are from cdw.com
>
> Can someone, maybe the poster, explain why a commercially based product
> might be better than IPCHAINS which comes for nothing? Personally I'd
> prefer to pay my IT staff or trusted contractor to set it up...
ipchains is not a stateful inspection firewall. That means that the
decisions it makes on what to do with a packet are based only upon the data
in that particular packet. It does not consider whether the packet is part
of an ongoing connection or not. If you have tried to lock down your box
with ipchains, then you know that you must leave all TCP ports > 1024 open
for HTTP replies (for example).
In a stateful inspection firewall, you could close off your TCP ports >
1024. When an HTTP request went outbound, the firewall would then expect an
HTTP response and allow it.
Example:
localbox:1055 --> 1.2.3.4:80
The firewall sees this and for some
period of seconds or until the
connection is closed will allow
incomming packets on port 1055
only from IP address 1.2.3.4
Whether this extra security is worth it or not, is up to you.
I hope you found that helpful.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
