On Mon, Jul 23, 2001 at 02:06:21AM +0900, Marshal Wong wrote: > Philipp Lehman <[EMAIL PROTECTED]> writes: > > I can't help you with your lprng question, but a firewall actually > > makes sense even on a stand-alone workstation or laptop. You can > > filter in the input chain just like you'd do on a dedicated firewall > > host. > > I'm not an expert on firewalls, but if someone wanted to bring your > computer to a grinding halt, i.e. DoS, they could just send a whole > crap of packets, and firewall or no, the processor will have to spend > all it's cycles dealing with these packets. If course, I guess it > would happen if you didn't have a firewall too, wouldn't it?
With any decent modern system, you'll likely be dos'ing the line, not the cpu, unless you have hundreds of ipchains with hundreds of rules each, which is unlikely to be the case on a personal machine firewall. A better solution anyway is to have a dedicated firewall machine. That way, you can install gnome and all the weird stuff that it needs, without having to fear that any of it is listening directly on an untrusted network. On a firewall, you can turn off all services except ip packet forwarding/masquerading. On your desktop, it would impede your "productivity" (read entertainment and spiffy gui). Having said that, it may nevertheless be a good thing to also employ some ipchains rules on your personal desktop. But it would mostly be useful for monitoring purposes, I think. So it would only be actually useful if you really regularly check those logs. Generally speaking though, if you know a bit of unix, don't bother with those "personal firewall" products, but give a 486 a second life instead. Cheers, Joost
