>>>>> "Neil" == Neil <firstname.lastname@example.org> writes:
Neil> We are interested in running a firewall for a single machine,
Neil> and would obviously like to minimize the amount of hardware we
Neil> are using.
When building firewalls, don't prune down the number of components too
much. If you're going to be using FreeBSD as your packet filter, make
sure that you've got a packet filtering router (or another very well
locked down FreeBSD machine) out in front of it.
Having a single point of security failure is a naughty, naughty thing
in the context of firewalls. Be sure to design your system such that
several "impossible" things will need to happen before an attacker is
able to get into your network.
See Ches & Bellovin's _Firewalls_and_Internet_Security_, and/or
Chapman and Zwicky's _Building_Internet_Firewalls_ for details on the
(lack of) wisdom in putting all of your eggs in one proverbial basket.
C Matthew Curtin MEGASOFT, INC Chief Scientist
I speak only for myself. Don't whine to anyone but me about anything I say.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet