Using Fedora as firewall.

Sun Apr 18 18:12:06 UTC 2004

Sunday, April 18, 2004 3:00 AM Harry Hoffman screamed:

> If you have more than one account you shouldn't be running X!!!!!!!!!!
> 
> Let me repeat this just in case I wasn't clear: in a firewall running
linux 
> there is not good reason to be running a windowing
system!!!!!!!!!!!!!!!!!!! 
> [ !, for space more so than for emphasis! ]. But seriously don't do
it, 
> X shouldn't even be on you system.

Hello! Why did you just jump down the collective throats of these three
gentlemen? :(

David Petterssen had legitimate questions, Rodolfo J. Paiz provided a
reasonable and on-topic suggestion that would make it easier for David
to achieve his goal (assuming he isn't of the "I must hack it out
myself." mindset. Lets face it, we get both here.) and John Lagrue was
simply relating his experience with the product Rodolfo suggested.

John's closing comment about Enlightenment may or may not have pertained
to his firewall box. You don't know. I don't know. Only he does. But you
what to know something? It doesn't matter either way!

Who are you to state categorically that ANYTHING is a bad idea for
either of them? Specifically when you have almost no knowledge of
David's operational requirements and constraints and absolutely nothing
about either Rodolfo's or John's. 

I've been in this business for almost 25 years and hold the dubious and
totally unprovable distinction of never having any system I have been
responsible for successfully hacked. I've been doing security for a long
time and I'm damn good at it. However, over half the linux firewalls I
have in place run X. And a myriad of other services. This is because
they are in the hands of people who are not comfortable with a command
line and can't afford to have one box dedicated to being a firewall and
nothing else. They need appliance boxes. Plain and simple. 

Don't get me wrong, I shut down X where-ever I can, but there are some
customers who what it, and that's that. Besides, a properly configured
iptables script, combined with all (*ALL*) kernel security and iptables
updates can provide a reasonable level of protection. You have to be
vigilant, but then you should be anyway.

Not to mention the folks, and there's a lot of them on this list, who
are brand new to linux, who don't even have two boxes and are stuck in
<shiver> Dual-Boot Land. They've only got one machine directly connected
to the internet. Should they forgo configuring iptables just because
they run a full function workstation? If they're smart they run one for
the windows side of things, why not the linux side?

Or those who have upgraded their windows machines and are loading linux
on their old PC? Whether they want to use the linux box as a gateway or
not, why shouldn't it be firewalled?

Good security is like an ogre (in that ogres are like onions). If you
aren't thinking about and implementing multiple layers, then you're not
secure and never will be (of course none of us ever will be, but that's
a separate philosophical discussion).

Every machine I run is firewalled, even those snugly plugged into
'secure' (secured by me) networks. This is just general principal. It
makes some things a little harder to administer but I find it's a
worthwhile trade-off.

> No to your real question, are both cards of the same type? If so both
should 
> be started but maybe only one configured. That should keep the cards
as you 
> expect them to be. Otherwise decide which one you want as eth0 and
bring that 
> one up at boot and bring the other up later!

I was going to go on and comment on your actual attempt to help, but
then I'd have to get just plain nasty and after writing what I did
above, I don't feel that's appropriate right now. 

Eric Diamond
eDiamond Networking & Security
303-246-9555
eric at ediamond.net