FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 04-05-2010, 05:15 PM
Mikkel
 
Default recommend hardware firewall

On 04/05/2010 11:51 AM, Michael Miles wrote:
> On 04/05/2010 09:34 AM, Mikkel wrote:
>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>
>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>> software.
>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>> for the last couple of years.
>>> I'm just using the firewall that comes with Fedora 12, is there better
>>> firewall software out there.
>>>
>>>
>> Not for the actual firewall, but there are different front-ends for
>> configuring it. You can pick the one that works best for you, or
>> write your own firewall rules by hand.
>>
>> The actual firewall is part of the kernel. What the firewall
>> software does is help you configure that firewall. When I played
>> with Windows, the firewall was an add-on - kind of an afterthought.
>> I don't know if this is still true.
>>
>> Mikkel
>>
> It is all add on with windows
>
> I tell you my 4 core Phenom II 945 has more than doubled speed going
> from Win 7 x64 to Fedora 12.
>
> These front ends for the firewall in Fedora. Is there one in particular
> the you use
>
> Michael
I usually use system-config-firewall, as the needs on my desktop and
laptop are fairly simple. I do have 2 sets of rules for the laptop,
depending on weather I am home or traveling. When I am home, the
network is behind a hardware firewall as well. But your needs may
differ from mine.

On a side note, if you want to see the firewall rules set up by the
front end, take a look a /etc/sysconfing/iptables and ip6tables. You
can also run "iptables -L" to see the rules currently in affect. The
iptables command will also let you modify rules without going
through a GUI.

Mikkel
--

Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-05-2010, 06:33 PM
Michael Miles
 
Default recommend hardware firewall

On 04/05/2010 10:15 AM, Mikkel wrote:
> On 04/05/2010 11:51 AM, Michael Miles wrote:
>
>> On 04/05/2010 09:34 AM, Mikkel wrote:
>>
>>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>>
>>>
>>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>>> software.
>>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>>> for the last couple of years.
>>>> I'm just using the firewall that comes with Fedora 12, is there better
>>>> firewall software out there.
>>>>
>>>>
>>>>
>>> Not for the actual firewall, but there are different front-ends for
>>> configuring it. You can pick the one that works best for you, or
>>> write your own firewall rules by hand.
>>>
>>> The actual firewall is part of the kernel. What the firewall
>>> software does is help you configure that firewall. When I played
>>> with Windows, the firewall was an add-on - kind of an afterthought.
>>> I don't know if this is still true.
>>>
>>> Mikkel
>>>
>>>
>> It is all add on with windows
>>
>> I tell you my 4 core Phenom II 945 has more than doubled speed going
>> from Win 7 x64 to Fedora 12.
>>
>> These front ends for the firewall in Fedora. Is there one in particular
>> the you use
>>
>> Michael
>>
> I usually use system-config-firewall, as the needs on my desktop and
> laptop are fairly simple. I do have 2 sets of rules for the laptop,
> depending on weather I am home or traveling. When I am home, the
> network is behind a hardware firewall as well. But your needs may
> differ from mine.
>
> On a side note, if you want to see the firewall rules set up by the
> front end, take a look a /etc/sysconfing/iptables and ip6tables. You
> can also run "iptables -L" to see the rules currently in affect. The
> iptables command will also let you modify rules without going
> through a GUI.
>
> Mikkel
>
It looks like the default desktop config for firewall lets everything
through

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 state NEW
udp dpt:mdns
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:ipp
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:netbios-dgm
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination





This is my iptables file

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
-j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



And ip6tables


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m ipv6header --header ah -j ACCEPT
-A INPUT -m ipv6header --header esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j
ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT



Michael






--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-05-2010, 06:51 PM
Rick Stevens
 
Default recommend hardware firewall

On 04/05/2010 11:33 AM, Michael Miles wrote:
> On 04/05/2010 10:15 AM, Mikkel wrote:
>> On 04/05/2010 11:51 AM, Michael Miles wrote:
>>
>>> On 04/05/2010 09:34 AM, Mikkel wrote:
>>>
>>>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>>>
>>>>
>>>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>>>> software.
>>>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>>>> for the last couple of years.
>>>>> I'm just using the firewall that comes with Fedora 12, is there better
>>>>> firewall software out there.
>>>>>
>>>>>
>>>>>
>>>> Not for the actual firewall, but there are different front-ends for
>>>> configuring it. You can pick the one that works best for you, or
>>>> write your own firewall rules by hand.
>>>>
>>>> The actual firewall is part of the kernel. What the firewall
>>>> software does is help you configure that firewall. When I played
>>>> with Windows, the firewall was an add-on - kind of an afterthought.
>>>> I don't know if this is still true.
>>>>
>>>> Mikkel
>>>>
>>>>
>>> It is all add on with windows
>>>
>>> I tell you my 4 core Phenom II 945 has more than doubled speed going
>>> from Win 7 x64 to Fedora 12.
>>>
>>> These front ends for the firewall in Fedora. Is there one in particular
>>> the you use
>>>
>>> Michael
>>>
>> I usually use system-config-firewall, as the needs on my desktop and
>> laptop are fairly simple. I do have 2 sets of rules for the laptop,
>> depending on weather I am home or traveling. When I am home, the
>> network is behind a hardware firewall as well. But your needs may
>> differ from mine.
>>
>> On a side note, if you want to see the firewall rules set up by the
>> front end, take a look a /etc/sysconfing/iptables and ip6tables. You
>> can also run "iptables -L" to see the rules currently in affect. The
>> iptables command will also let you modify rules without going
>> through a GUI.
>>
>> Mikkel
>>
> It looks like the default desktop config for firewall lets everything
> through
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT esp -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 state NEW
> udp dpt:mdns
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:ipp
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:netbios-ns
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:netbios-dgm
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
>
>
>
> This is my iptables file
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth+ -j ACCEPT
> -A INPUT -p ah -j ACCEPT
> -A INPUT -p esp -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
> -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth+ -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
>
> And ip6tables
>
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p ipv6-icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth+ -j ACCEPT
> -A INPUT -m ipv6header --header ah -j ACCEPT
> -A INPUT -m ipv6header --header esp -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j
> ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p ipv6-icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth+ -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
> -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
> COMMIT

Make sure you do "iptables -L -n -v". You'll find that a lot of the
open ports are actually restricted to lo (the loopback) on a standard
install, and the "ESTABLISHED,RELATED" stuff is to permit two-way I/O
initiated by the local machine (e.g. web browsing and the like).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting ricks@nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Lottery: A tax on people who are bad at math. -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-05-2010, 07:58 PM
Michael Miles
 
Default recommend hardware firewall

On 04/05/2010 11:51 AM, Rick Stevens wrote:
> On 04/05/2010 11:33 AM, Michael Miles wrote:
>
>> On 04/05/2010 10:15 AM, Mikkel wrote:
>>
>>> On 04/05/2010 11:51 AM, Michael Miles wrote:
>>>
>>>
>>>> On 04/05/2010 09:34 AM, Mikkel wrote:
>>>>
>>>>
>>>>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>>>>> software.
>>>>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>>>>> for the last couple of years.
>>>>>> I'm just using the firewall that comes with Fedora 12, is there better
>>>>>> firewall software out there.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Not for the actual firewall, but there are different front-ends for
>>>>> configuring it. You can pick the one that works best for you, or
>>>>> write your own firewall rules by hand.
>>>>>
>>>>> The actual firewall is part of the kernel. What the firewall
>>>>> software does is help you configure that firewall. When I played
>>>>> with Windows, the firewall was an add-on - kind of an afterthought.
>>>>> I don't know if this is still true.
>>>>>
>>>>> Mikkel
>>>>>
>>>>>
>>>>>
>>>> It is all add on with windows
>>>>
>>>> I tell you my 4 core Phenom II 945 has more than doubled speed going
>>>> from Win 7 x64 to Fedora 12.
>>>>
>>>> These front ends for the firewall in Fedora. Is there one in particular
>>>> the you use
>>>>
>>>> Michael
>>>>
>>>>
>>> I usually use system-config-firewall, as the needs on my desktop and
>>> laptop are fairly simple. I do have 2 sets of rules for the laptop,
>>> depending on weather I am home or traveling. When I am home, the
>>> network is behind a hardware firewall as well. But your needs may
>>> differ from mine.
>>>
>>> On a side note, if you want to see the firewall rules set up by the
>>> front end, take a look a /etc/sysconfing/iptables and ip6tables. You
>>> can also run "iptables -L" to see the rules currently in affect. The
>>> iptables command will also let you modify rules without going
>>> through a GUI.
>>>
>>> Mikkel
>>>
>>>
>> It looks like the default desktop config for firewall lets everything
>> through
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT icmp -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 state NEW
>> udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:ipp
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:netbios-ns
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:netbios-dgm
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT icmp -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>>
>>
>>
>>
>> This is my iptables file
>>
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth+ -j ACCEPT
>> -A INPUT -p ah -j ACCEPT
>> -A INPUT -p esp -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
>> -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -p icmp -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -i eth+ -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>
>>
>> And ip6tables
>>
>>
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p ipv6-icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth+ -j ACCEPT
>> -A INPUT -m ipv6header --header ah -j ACCEPT
>> -A INPUT -m ipv6header --header esp -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j
>> ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -p ipv6-icmp -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -i eth+ -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
>> -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
>> COMMIT
>>
> Make sure you do "iptables -L -n -v". You'll find that a lot of the
> open ports are actually restricted to lo (the loopback) on a standard
> install, and the "ESTABLISHED,RELATED" stuff is to permit two-way I/O
> initiated by the local machine (e.g. web browsing and the like).
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer, C2 Hosting ricks@nerd.com -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - Lottery: A tax on people who are bad at math. -
> ----------------------------------------------------------------------
>




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
8664K 17G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
485 29100 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
107K 6417K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
53557 8058K ACCEPT all -- eth+ * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:137
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:138
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth+ * 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 9017K packets, 18G bytes)
pkts bytes target prot opt in out source
destination
[root@localhost amiga5]#

This is the output from the latest command
iptables -L -n -v

I am downloading right now when I executed command

It is somewhat confusing compared to years of Bitdefender
But I would not go back for anything.



Thank you for your help, I really appreciate it.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2010, 12:40 AM
Mail Lists
 
Default recommend hardware firewall

Lots of good comments here.

I have seen a befsx (newer than the befsr) which could not keep up
with a cable internet connection - reduced d/l by 20% or so. This was a
nominal 30 Mb/s d/l and the router was definitely the bottleneck.

The primary firewall, linux with over 30,000 rules has no such issue -
its a 3 Ghz Pentium D with 3com 905 C ethernet controllers.

gene


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2010, 02:45 AM
Michael Miles
 
Default recommend hardware firewall

On 04/05/2010 05:40 PM, Mail Lists wrote:
> Lots of good comments here.
>
> I have seen a befsx (newer than the befsr) which could not keep up
> with a cable internet connection - reduced d/l by 20% or so. This was a
> nominal 30 Mb/s d/l and the router was definitely the bottleneck.
>
> The primary firewall, linux with over 30,000 rules has no such issue -
> its a 3 Ghz Pentium D with 3com 905 C ethernet controllers.
>
> gene
>
>
>
I do plan on an upgrade to a better router

So if I wanted to create a separate machine and put 3 or 4 good lan
adapters on a amd xp 1500
install fedora 12 and use it as a firewall only, would probably be a
good alternative to a 100 dollar router

Michael
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2010, 10:52 AM
Michal
 
Default recommend hardware firewall

On 06/04/2010 03:45, Michael Miles wrote:
> On 04/05/2010 05:40 PM, Mail Lists wrote:
>> Lots of good comments here.
>>
>> I have seen a befsx (newer than the befsr) which could not keep up
>> with a cable internet connection - reduced d/l by 20% or so. This was a
>> nominal 30 Mb/s d/l and the router was definitely the bottleneck.
>>
>> The primary firewall, linux with over 30,000 rules has no such issue -
>> its a 3 Ghz Pentium D with 3com 905 C ethernet controllers.
>>
>> gene
>>
>>
>>
> I do plan on an upgrade to a better router
>
> So if I wanted to create a separate machine and put 3 or 4 good lan
> adapters on a amd xp 1500
> install fedora 12 and use it as a firewall only, would probably be a
> good alternative to a 100 dollar router
>
> Michael

I know this is a fedora list but OpenBSD with PF will work very well as
a router out the box and well worth a look at (even if it's just for
research purposes)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2010, 11:06 AM
Doron Bar Zeev
 
Default recommend hardware firewall

I know this is a fedora list but OpenBSD with PF will work very well as


a router out the box and well worth a look at (even if it's just for

research purposes)



I know this is not to the discussion but I wanted to know,
why would that be different from linux with iptables?

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2010, 12:57 PM
Tim
 
Default recommend hardware firewall

On Tue, 2010-04-06 at 14:06 +0300, Doron Bar Zeev wrote:
> why would that be different from linux with iptables?

BSD uses a different rule technique. Well it did, the last time I had a
look at it (quite some time ago). I seem to recall it was regarded as
being better.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2010, 03:33 PM
Bruno Wolff III
 
Default recommend hardware firewall

On Mon, Apr 05, 2010 at 19:45:08 -0700,
Michael Miles <mmamiga6@gmail.com> wrote:
> I do plan on an upgrade to a better router
>
> So if I wanted to create a separate machine and put 3 or 4 good lan
> adapters on a amd xp 1500
> install fedora 12 and use it as a firewall only, would probably be a
> good alternative to a 100 dollar router

Remember that there are also power costs. The $50 routers don't draw as much
power as an old repurposed general purpose machine is going to. They also
come with wireless support.

Depending on what you are going to do with the firewall, it might also be
cheaper to buy just one network card and an unmanaged switch. (8 port switches
were going for about $20 a few years ago.)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 11:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org