Diet-Router: Security
Diet-Router: Security
If you are using this router, you have to decide what securitymodel you wish to implement. There are basically three models.
This is the most restrictive model regarding ip connections. You will disable ip-forwarding in the firewall startup script and use proxy only. There will be nearly no chance for an attacker to get a direct connection to your LAN behind this router. The downside of this model is, that the current version of diet-router only implements a DNS and HTTP/HTTPS proxy. This is enough to surf in the world wide web with a browser, but nothing more.
I think this is the most interesting model. Use this router as a proxy for DNS and HTTP/HTTPS and allow a minimum of other protocols to pass the firewall (e.g. ssh and smtp). Set up your firewall to be as restrictive as possible.
The goal of this model is to have no services running on your router, which makes it very hard to attack the router. Even if you use this router as a masquerading one and you only allow connections to be established from your lan the to outside: don't feel safe.
This model may also be the best, if you provide proxy services for the needed Internet services on other servers and allow only this servers to access the specific service on the Internet.
A lot of client software (browsers, mail and irc clients, ...) has serious bugs, which makes it possible to retrieve sensitive data from a local computer even if this computer has no direct Internet connection. The Diet-Router software can't protect you about that software, so don't feel save!