On Tue, 21 Mar 2000, Ward William E PHDN wrote:
> Jerry,
>
> If you reread the post, he's getting a 4 port 10/100 hub INTERNAL to the
> firewall. Since that runs ~US$75 or thereabouts, he's only paying about
I get 5-port DLINK hubs for ~US $40 and 9-ports < $50 US. Also, if he
doesn't have any ethernet card in the P-II then it will be an extra $30
or so.
> $75 for the firewall that way. You suggest a $30 nic, and the sacrifice
> of the Pentium 200... I say, GO FOR IT. I'd rather keep the Pentium as
> a separate machine for the $45 cost that I would have, since the Firewall
> is going to be beaten on. That way, you don't have the overhead on the
> machine of the scanners, you don't have to worry about failure on the
> Pentium taking you down, etc.
He made it sound like he wasn't going to use the P-II. I know that it's
overkill to use one in a home network, since I usually put 486's to work
(ipchains = new life for 486's!), but if money is the issue, the cheapest
way is to use his P-II. Also, I know several people who run ipchains
on their workstation without noticeable performance hit complaints.
(Of course they weren't sharing cycles with other machines trying to get
packets out to the net.) I don't think that major bandwidth or
cycles are burned by the port scanners very often. If you're
concerned, you can run portsentry and log the babies' activities,
report them to the ISP.
It isn't an exclusive either/or with using the P-II as a workstation or a
masquerade box. You canalso buy old 486's from places like a Duke
University Surplus store for around US $30 (don't need a monitor...) if
you want to keep the P-II/200 for a separate workstation. You're still
a little money ahead.
However, even if money is not the primary criterion for the choice,
what about the other criteria:
performance, flexibility, supportability,...
Have you ever tried to get up with a support hot line from some of these
companies? What about bugs and updates? You don't think they'll be
subject to security problems at some point? All it takes is a bunch of
bored hackers who get tired of trying Linux boxes as tartets and try
another challenge. Harder and stranger things have happened.
In my mind, these are every bit as important and having used similiar boxes
and having set up several ip masq boxes, I'd say the ip masq solution
is superior, if you have your own cheap box to put it on. He might be
able to borrow an extra card and hub just to test it first. Then he'd
really have nothing to lose by trying.
However, some people like the idea of a nice neat small "black box"
solution. They may perhaps regard the proprietary box as being
well supported and the do-it-yourself solutions as unsupported. I happen to
disagree with this view, but it is still a common notion. The box is
probably a nice little box. I'm glad to see the prices of such boxen
have come down.
It's nice to have choices! To each his own!
I'm also glad to not be left at the mercy of proprietary solutions if
I choose not to. I'm glad to be part of a community that helps support
one another in our quest for open source solutions.
***************************************************************************
Jerry Winegarden OIT/Technical Support Duke University
[EMAIL PROTECTED] http://www-jerry.oit.duke.edu
***************************************************************************
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
