Subj : Port Blocking To : Stewart Buckingham From : Peter Knapper Date : Sat Apr 06 2002 03:08 pm Hi Stewart, > The issue probably comes down to how much do you wish > to spend (in time and $$$) to make yourself feel "comfortable" > with your security. To me, it comes SB> I have the time but I don't have the money :) I can understand that, its a fairly common scenario......;-) SB> I have IBM's Firewall which comes with their SB> MPTN6.0/TCPIP4.3. Setting it up was a cinch with Alex SB> Taylor's Firewall.inf file but getting my head around SB> the filters is making me reach for the tylenol. I also SB> really wonder how much this slows down the IP traffic? Suprisingly little, IF its done right. Now I don't really know too much about the IBM TCP/IP 4.3 Firewall, however I did have a quick look some months back and it seems to operate fairly similar to most PC type Firewalls. The OS/2 TCP/IP 4.1+ Stack came directly from the AIX stack, which has an excellent reputation for security and performance, so its a really good start. There are a few things to consider with security and Firewalls, placing Firewall type functionality in a dedicated Network device (such as a Router) will usually always outperform a pure PC based solution, simply because its designed to do much of its work in H/W, not using processor power. The CPU is only used for computational intensive tasks, so basic switching and Routing can be very fast, even when using Access-List controls. SB> Just possibly I could spring for In-joy's Firewall if I SB> felt it would be useful to me. In-joy dialer is top SB> quality and I have no doubt the firewall would be the SB> same. Have seen only good comments about it also. SB> There are probably other free/shareware stuff I could SB> look at too, if there were any recommendations. Here I have a suggestion. While Injoy is a fine product, if you can find a 486 with 8MB RaM and Floppy drive, then a standalone Firewall can be built using FREESCO (a Cisco "Clone" which is not really like Cisco at all) booting from a single floppy. Its a special Linux configuration that can provide - - Dial-on-Demand PPP connection, - up to 3 Ethernet segments, 1 of which can be a Cable/DSL connection. - DHCP for your local LAN - NAT - Firewall - Accept inbound PSTN callers for Internet access 99% of the above can be done from a menu system, you do not have to drop into the Linux CLI to do anything if you dont want to. It can also be controlled via a web browser, AND it can provide a Web Server for internal or external users, or both if required... I have a Freesco box booting from a 30MB FAT HD as backup to my DSL connection, I used it for about a month before I got DSL and it worked fine for me, even performing automated connections. The BIG advantage of using something like this is it moves the Firewall off the PC, and allows you to play with the PC without compromising your security environment... > 1.b. With a Dial-up connection that was automated (IE > under machine control > for call placement), then some sort of Firewall is > HIGHLY desireable. In this > case the Firewall would be configured to allow only > sessions initiated BY MY > END of the link, and I would even allow the Firewall > component to be on the machine I was using. SB> This could also be me on occassions. SB> Unlikely I'll spring for a standalone firewall... SB> presume you mean another network pc or a router here? SB> Besides I like tinkering :) Yes, as per the Freesco unit above. Overall, my strongest recommendation is to implement an external Firewall, that makes securing things a LOT easier than trying to do it on the "target" machine. With the right S/W, just about any old PC can do the job as an external Firewall. Happy hunting.............pk. --- Maximus/2 3.01 * Origin: Another Good Point About OS/2 (3:772/1.10) .