No religious war happening here. Linux is what I've got set up at work and
at home, and it's where I've got most of my Unix experience from. I'm
thinking of putting OpenBSD or FreeBSD on one of my boxes at home, though,
just to try it out.
The thing I like about having a firewall that does port forwarding is that
it's easier to have a heterogenous environment behind the firewall that
provides all the different services. For instance - me and the guy upstairs
have networked all of our machines and are sharing a DSL using Linux and IP
Masquerade. He's working on his MCSE (horrors), so he has to learn how to
set up the different services on his NT box. For the most part, we just
forward the right ports from the firewall to the NT box. And I've got a web
server behind the firewall running Linux.
Anyway, whatever setup you've got, any web server should only allow
connections on port 80 at the routable IP. It's just easier to keep the
scr1p7 k1dd13s out when you've only got one service to possibly exploit.
And if it's a relatively dumb one (like HTTP), that's even better.
Neil
-----Original Message-----
From: Peter Galbavy [mailto:peter.galbavy@knowledge.com]
Sent: Thursday, July 06, 2000 9:19 AM
To: Neil Toronto; pgsql-admin@postgresql.org
Subject: Re: [ADMIN] Firewall setup
> Voila! You have yourself an ultra-secure site, as long as you properly
lock
> down your firewall (turn off telnet, ftp, etc.).
Not trying to start a reigious war, but for this sort of thing look at
OpenBSD (http://www.openbsd.org) Apart from the ongoing code audit, the
transparent filtering bridge is a great backfill for filtering, as it
requires no change to the "shape" of your network.
Peter
