[Gloucs] New router advice

Anthony Edward Cooper aecooper at coosoft.plus.com
Thu Dec 28 19:28:28 GMT 2006 

    Yup home use router/firewalls aren't that sophisticated when it 
comes to DMZ machines. If you get a box that does do it you will 
probably be paying `professional prices' say ~£1800 upwards for a good 
name. As for exposing a well patched machine... You would still be 
exposing the IP stack in the kernel so there is still a chance that they 
could get in or do a DOS attack (albeit very unlikely).

    Having said that I thought most home router/firewalls, whilst 
allowing full incoming internet access to a specific `DMZ machine', also 
allow the forwarding of specific ports to a machine. There is still no 
concept of a DMZ subnet though. My Vigor 2600 certainly does this and I 
have used it to expose web servers and game servers on specific 
occasions without exposing the whole machine.

    Quite frankly I would either stick with what you have got, get a 
cheap PC, setup SmoothWall in VMware or not bother about a DMZ and get a 
home router/firewall. Have you thought of a mini ITX box (perhaps a bit 
OTT price wise). Also I suspect that any router/firewall that did do 
what you want would draw a similar wattage to a low power PC.

    Tony.

Simon Lewis wrote:

> On 27 Dec 2006, at 18:50, Paul Broadhead wrote:
>
>> Not strictly Linux but you folks are a knowledgeable bunch...
>>
>> I currently have a Smoothwall box performing the router/firewall
>> function on my network.  It's an old PC, it will break one day and  it's
>> consuming lots of power being on 24/7.  I was thinking of replacing it
>> with a small, lower power box from the likes of Netgear or D-Link.
>>
>> The problem is is they don't appear to be as good.  The main feature
>> they appear to lack is a proper demilitarized zone (DMZ), i.e. one  that
>> makes use of a separate subnetwork.  Smoothwall not only fully  protects
>> the DMZ only allowing through ports you specify, but also allows  you to
>> provide controlled access into your internal network should you wish.
>>
>> The boxes I've looked at so far allow you to "fully expose" a  
>> machine to
>> the WAN side but the "DMZ" machine will have full internal network
>> access, doesn't sound very DMZ to me!
>>
>> Any experience out there that can help me find what I'm looking for?
>> Alternatively, a recommendation for a small, cheap, low power PC that
>> can run Smoothwall with three network ports would be great.
>>
>> Regards and happy Christmas,
>> Paul
>
>
>
> Hi Paul,
>
> In terms of DMZ, all purchased routers tend to do is allow full port  
> forwarding to one IP.  Not a proper DMZ but its only for home...
>
> If you ensure that your local machines have a firewall and are fully  
> patched against the services they export outside of the NAT you  
> should be ok (#1).
>
> In terms of buying a solution: Linksys (Cisco) and Netgear and Belkin  
> seem to be reliable.
>
> If you have trouble with QOS put a m0n0wall box in.... works a treat.
>
> Hope that helps,
>
> Simon
>
> #1. I stand to be corrected ;)
>
>
>
>
>
> _______________________________________________
> gloucs mailing list
> gloucs at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/gloucs
>


-- 
If at first you don't succeed... Delegate.

Pay a visit to my home page at:
http://www.coosoft.plus.com/

More information about the gloucs mailing list