[lug] Personal Server Behind DSL Router
David L. Anselmi
anselmi at anselmi.us
Thu Jan 11 22:04:33 MST 2007
Ken MacFerrin wrote:
>> I typically don't run iptables on a box like this because all the
>> services it provides are public. So there isn't anything for iptables
>> to block (obviously there are some other useful things iptables can do).
>
> Why wouldn't you firewall each machine? This provides an additional
> layer of protection for your server in case another machine in your
> internal network is compromised (ie: your visiting relative that wants
> to use their spyware filled XP laptop at the house). Given the small
> memory footprint and simplicity of setting up something like shorewall I
> can't see why not to turn it on..
I was talking about public services. If my public server offers only
web and ssh, I can't filter those from the Internet. Seems unlikely I'd
want to filter those from the internal network either.
Given a few servers internally, what do they run? SSH. CUPS. Bacula.
I'd probably take my chances with those vs. spyware infested XP.
Ditto apache. NFS is a different story. But locking down services to
known machines can be a hassle for more than about one machine, unless
you manage them centrally.
Of course if you don't pay attention to what services are running then
blocking everything until you decide to allow it isn't a bad idea.
And also your guests should be using a DMZ, not your internal network.
Especially if you give them WiFi.
But it's all a matter of tradeoffs.
FWIW, I didn't find shorewall very easy to use. Somewhere it got hung
up between its various files and didn't recognize the interfaces I had.
fwbuilder seemed much easier.
Dave
More information about the LUG
mailing list