Keith Roberts wrote: > On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote: > >> To: CentOS mailing list <centos at centos.org> >> From: Ljubomir Ljubojevic <office at plnet.rs> >> Subject: Re: [CentOS] firewall? >> >> Rudi Ahlers wrote: >>> On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic <office at plnet.rs> wrote: >>>> Keith Roberts wrote: >>>>> So I guess I could configure my single NIC Centos 5.6 >>>>> machine connected to a 4 port ADSL router to act as the >>>>> external Gateway for other machine on the LAN side of the >>>>> router, possibly using NAPT on the Centos box? >>>> Yes, you can do that. You can also use it as a proxy server. >>>> >>>> When I said "firewall", I meant as firewall for the network, facing >>>> outside of the local network. There were people who would bring public >>>> (or semi-public, from ISP) IP to the switch and then hook up all PC's to >>>> that switch and use 2 subnets, one that ISP provided and one for the >>>> local LAN, all on the same switch, to save on hardware. That is not safe >>>> and not wise. >>> Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe. >>> But if you have propper firewall rules in place to block incoming >>> traffic from the public IP going to the private IP then it's very >>> safe. >>> >> You are looking only at the safety of the server, not the whole network. >> >> In case od ADSL modems *with NAT-ing* you already have firewall in form >> as ADSL modem, and you are safe. > > That's exactly how my Thompson ADSL router works. By defalut > it blocks any connections coming in from the outside > internet IP address. > > To open a port I have to login to the router, and create > NAPT rule that links an outside port to a machine and port > on the LAN side of the router. > > I did have port 80 NAPT's this way, but now I have removed > that rule, as my websites are hosted on a cloud in a proper > data center. > > So what with the router firewall and then the Linux Kernel > IPtables packet filtering firewall, I actually have two > firewalls running? > Yes, if ADSL router does firewalling (LAN side has private IP) without any port redirection, then you do not need any other firewall, except ip you have sensitive data and open or weak (WEP) wireless AP/router. Ljubomir