[CentOS] Do I need a dedicated firewall?

Thu Dec 12 15:59:06 UTC 2013
m.roth at 5-cent.us <m.roth at 5-cent.us>

Fred Smith wrote:
> On Wed, Dec 11, 2013 at 09:00:25PM -0800, Jason T. Slack-Moehrle wrote:
>> Hi All,
>>
>> So my electricity bill is through the roof and I need to pair down some
>> equipment.
>>
>> I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web
>> stuff and Zimbra. I have 5 static IP's from Comcast. I am considering
>> giving this server a public IP and plugging it directly into my cable
>> modem. This box can handle everything with room for me to do more.
>>
>> Doing this would allow me to power down my pfSense box and additional
>> servers by consolidating onto this single box.
>>
>> I have the firewall on on the server and only allowing the few ports I
>> need.
>>
>> I dont run ssh on 22

Were you planning on ssh'ing in from outside? Remember, security through
obscurity isn't security. nmap, for example, would find it.
>>
>> What do you guys think?
>
> You certainly CAN do it that way.
>
> Being paranoid, I'm in favor of having one "box" that does
firewall/routing duties
> without any other apps running, to reduce the exposed "attack surface".

Yup. For about 10 years, I ran an old PC at home with redhat 7.x, then 9.
(pre-fedora/RHEL). I had *nothing* on it - no compilers, no languages not
required, no web stuff, no *nuthin'*. Then I ran Bastille Linux on it
(that's not a distro, it's a set of hardening scripts - everything not
explicitly required is verboten). To the best of my knowledge, I never had
an intrusion. Of course, I wasn't offering an open website....
>
> I used to run a Smoothwall GPL box as firewall, but like you, I wanted to
> do a little something about the power usage. My "solution' was a dedicated
> consumer router, which used probably (not measured) a tenth of the juice
> of the old PC that ran Smoothwall. I used dd-wrt on it instead of the
> original firmware.

Doing that now - uses a *lot* less power. Now, if I could just find a
firmware that meets my needs....

     mark