On Tue, 4 Feb 2003, Mikhail Teterin wrote: > On Tuesday 04 February 2003 06:44 pm, Wes Peters wrote: > = On Tue, 2003-02-04 at 08:42, Mikhail Teterin wrote: > = > Using two cards, were one works fine is against aesthetics :-) > = > That's my primary reason, although there are only two slots left in > = > the machine, indeed. > > = OK, that's a completely acceptable answer, but I suspect we're going > = to differ strongly on the finer points of "works fine." > > The primary point is to provide the NAT service. A "REAL" firewall has > to be a separate machine with readonly disks and what not. The > appartment is not that big :-) "Works fine".
To my mind, a "REAL" firewall needs to sit between the internal and external LAN segments. Any box which doesn't occupy that position is not a firewall, real or otherwise, because packets can go around it. I used to run a NAT service of the type you describe, for the reasons you describe. This was back when Ethernet cards weren't essentially free in my neighborhood :-). But, eventually I decided that a firewall box which also runs services (email, http, etc) but which provides the only means for the packets to get from the external to internal Ethernet segments was better than nothing. Maybe someone could/would leverage an Apache exploit into root access on the firewall, and thence to full access to the internal net, but at least that provides _some_ bar they have to jump over! Later, scott To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
