[lug] Why Do I Need a Firewall?

Bill Thoen bthoen at gisnet.com
Fri Oct 5 07:15:16 MDT 2007 

On Thu, Oct 04, 2007 at 10:44:25PM -0600, David L. Anselmi wrote:
> Bill Thoen wrote:
> >Thanks... This is convincing. I guess it's like a ship; as long as the hull
> >isn't punctured, there's no need for watertight compartments. But if you
> >spring a leak, a second level of defense can make all the difference
> >whether you later sail into port or sleep with the fishes.
> >
> >I'm going to keep my firewall and probably add some rules to the OUTPUT
> >chain too.
> 
> So then you already have a reliable and tested recovery process, right?
> 
> I know, it's obvious, but sometimes worth mentioning.

Good point. But when I set up this particular machine, I made a concious
decision to not worry about that too much as the purpose of this machine
was to experiemnt with various open source GIS and database software.  I
figured if I got hacked then I'd just rebuild the system using all the
latest software. Meanwhile I have carefully documented the steps I took to
compile, install and configure all the packages that I've been playing
with. 

But now I've got a lot of things working and though I could reliably
recover by re-installing, that would take too long. So now I'm trying to
learn enough system administration to secure the machine. For now, the only
thing I know to do regarding recovery is make large tarballs via a cron
process and hope it's enough to put Humpty Dumpty back together again after
it gets toppled off its wall. I suppose it would be a good idea to review
things and develop a formal recovery plan.

The problem with being a Linux newbie is that there is so much that you don't
know, while the Bad Hats know so much and who also amplify their attacks via
automatic hacking software. You have to pick and choose what you want to teach
yourself and my business is mapping and GIS. So I concentrtate on that. I
try to add to my knwoledge as I can, but I think when the time comes to set
up a mapping/GIS server that is mission-critical, I'll subcontract out the
sysadmin part of the job to someone who knows the ropes. 

- Bill Thoen

More information about the LUG mailing list