[cobalt-users] Re: compilation errors

[Johan-Kristian Wold <jkwold@xxxxxxxxxxx>]

In cobalt-users digest, Vol 1 #2177, Stefan Osterlitz wrote:
> <snip>
> i would appreciate a firewall solution for a raq 3, too

<$0.02>
Generally - don't cook up something on a Raq3, install it alongside 
the other services on the box and believe yourself safe. I don't 
trust myself enough to let this be my only defense. From what I see 
in the list, many "Appliance-drivers" should be careful about this 
strategy too. The simple truth about network security is that it's a 
full-time job (and I don't have enough time to be a full-time student 
of internet security :^)

Portsentry, tripwire et al is good as a second line of defense, but

Preferably sent up a 3-zone firewall as a separate box, with internal 
and external nets and the pubic servers (raqs) on a dmz. Use a "Deny 
unless specifically allowed" policy, try to use automatic blocking 
wherever possible, and NAT the internal network.

The firewall may be a linux-based solution (in that case, be _very_ 
sure of what you're doing - see above), an "appliance" (Cisco PIX, 
Watchguard Firebox II etc.) or a software firewall (CheckPoint etc, 
NOT a "personal" firewall).

Try to find a firewall that lets you proxy incoming services like 
ftp, smtp etc. From my experience a product like the Cisco PIX or the 
WatchGuard FireBox II should serve you well.

My strategy (has been for a long time) is to outsource DNS, and 
consentrate on specific services (http, smtp and pop). Other 
services, like incoming ftp or telnet is only allowed from specific 
hosts upon an "as needed" basis.

</$0.02>

Johan-Kr
--
Johan-Kristian Wold, M.Sc.     |
Computer systems administrator | Recursive: Adj. See recursive.
Nor-Trykk Narvik AS            |
jkwold@xxxxxxxxxxx             |                            SAM007HM02