On Sat, 2004-07-24 at 18:56, Scot L. Harris wrote: > On Sat, 2004-07-24 at 12:34, Bruno Wolff III wrote: > > > I disagree. Hardware routers are pretty much just software routers that > > you don't (generally) have access to the source for, are harder to update, > > and may have backdoors as a recent Netgear model did. The router manufacturers > > have incentive to put in backdoors to cut support costs. > > > > There are advantages to having a firewall that is on a separate physical > > machine, but hardwall firewalls aren't magically better than locked > > down linux boxes not running public services. They may be cheaper, particularly > > if you don't have an old box sitting around that you can use for a firewall. > > > > Even having a separate firewall doesn't buy you that much if you are protecting > > linux (or BSD) machines as they have very powerful packet filtering software. > > The main advantages are some convenience bringing up new machines (as they > > can be attached to the network before being fully hardened) and that since > > in theory the firewall should be more secure, it is likely to be able to > > prevent outbound attacks after a compromise which a packet filter on a root > > compromised machine won't be able to do. > > For those that have the skills, time, equipment, money, a hardened linux > box may be a good alternative. For the vast majority of people out > there that really just want to use their system for email, web browsing, > games, and possibly some actual work, a simple dedicated inexpensive > router/firewall will do a very good job. True it does not have all the > features of a full blown firewall box but then most people don't need > fine grained access controls or the ability to filter or trap specific > packets. > > For the price of between 40 and 60 dollars such a firewall can prevent > most if not all attempts at getting at systems sitting behind it. The > kind of probing mentioned here is just the kind of thing that such a > firewall would deflect very easily. > > Also, using a dedicated single purpose device usually eliminates a large > number of the potential holes that a more complex powerful box may > suffer from if improperly configured. Less options equal fewer chances > to miss-configure things. > I disagree with you and share the opinion of Bruno. If you want to have other ports open than just simple HTTP or FTP, you'll end up in spending at least the same amount of hours with configuring your box like you would spend with your own Linux. (For example I wasn't able to properly set up an SMC router to let DC++ out/in but filter other outgoing packets.) They're simply cheaper, more silent, consume less power, dissipate less heap and need less cables. They don't protect better.