[gmcenroe]

I am getting back into my Indigo2 after about a year in which I had it turned off. I have had this computer since about 2000, and added peripherals to it, updated the OS from 5.3 to 6.5.22 and had it on the internet. At one point I had it on the internet probably with no firewall and my ISP complained to me about the large amount of data transfers on my service that was exceeding the normal home user profile. In those days I believe we could run a static IP address, but most ISPs are only used to personal accounts running Apple or Windows based computers and I am not the person to share the number or types of computers that I run with my ISP. 

At any rate after digging a little deeper I found that my Indigo had been hacked and I had 1000s of email messages advertising Viagra sales and god knows what else. My hard drive was probably very close to full. I think I had noticed the computer was slowing down unexpectedly maybe due to the lack of hd space left. So I cleaned up the files and turned off sendmail which was probably the culprit.

Now the internet has ostensibly become more secure for home networks running cable modems and more advanced routers offering firewalls. I would like to ask is my old system still vulnerable to attack or is my router firewall enough to keep it isolated from attack. I know that NFS is not secure on these old computers. What recommendations if any would you suggest that I implement to ensure it is secure from attack? I also do not want this old computer to provide a gateway to my other computers with sensitive data. I don't think I have Gauntlet in my software collection. I would like to be able to print to my networked printer, browing pretty much sucks, but also being able to access the Indigo from my MacBookPro or LInux systems would be nice.

Thanks for reading and any advice. I hope this is not to big a question to ask, advice on what SGI manuals to read would be good. I have a rudimentary knowledge of networking, but not much experience with IRIX networking. I will start with the networking manuals on my own as well.

[Raion]

IRIX has a firewall called IPFilter, you have to download it but it's not horrible.

If you want something more robust, I can recommend VyOS, Edge or Juniper routers.

[vishnu]

I use IPTables (netfilter.org) and I have it set to drop all packets that any of my SGI's try to send to the Internet.

[Shiunbird]

My vintage machines are on a separate VLAN. I use pfsense and got 2 used SG200 switches. They get NTP and DNS from the pfsense box and HTTP out through a proxy.

[vishnu]

At the risk of being repetitive, because I've posted this before, all the computers on my LAN have static IP on the 10.4.0 network; no wifi, all hard-wired ethernet, and they talk to the internet through a computer, not a commercial router, there's no such thing as a secure commercial router. So the computer that connects me to the Internet is a January 1997 Pentium Pro 200, that's basically been up and running 24/7 for 26 years, which is a matter of never-ending astonishment to me. It's been through fans, hard drives and power supplies, but the motherboard is solid as a rock. It runs a Linux kernel I configure and compile myself, it runs an IPTables firewall whose configuration script I wrote myself, it runs my website using Apache, and it runs dhcpd so my guests can plug their lappys into one of my switches and be connected to my LAN and to the Internet. It wasn't easy setting all this up, but totally worth it. I have never, and will never, use a commercial router to connect to the Internet. To reiterate: There's no such thing as a secure commercial router.

[robespierre]

What you need is a router without auto-configuration or web-configuration, with a hard-wired serial port console, and manually configured rules. They are commercially available.
When Soekris still made embedded computers, the net5501 was a good choice. PC Engines still makes this type of device, I think.

[jpstewart]

My take on whether or not you need a firewall on your IRIX box is that it depends on how much you trust the LAN that it is on. 

If it is a home LAN with only a small number of users, all of whom you trust, then there's no need for a firewall on every machine.  If you can't trust the rest of the LAN (e.g., corporate network) then yes you should run a firewall on every machine, especially your IRIX box.

Of course, the above assumes that you have a router & firewall that you trust between your LAN and the public Internet.

In my case, I have an ISP-provided router that I must use to connect to their network.  I don't know enough about it to trust its firewalling capabilities.  So I connect the ISP-supplied router to my own firewall.  (An old PC running up-to-date Linux can do the job, as vishnu points out.)  I can trust that firewall.  Then inside the firewall I have my private LAN where all my vintage computers can talk amongst themselves, isolated from the Internet.  Since everything on the LAN can be trusted, I don't care if NFS and Telnet are insecure by today's standards.  Nobody's snooping on my LAN inside the firewall without my permission.

So my advice is to read what everyone here is writing, but come up with your own plan customized your own needs and the trustworthiness of your LAN.

[Shiunbird]

So my advice is to read what everyone here is writing, but come up with your own plan customized your own needs and the trustworthiness of your LAN.

+++++++++++++++++++

[jan-jaap]

Hmm. I've used a Cisco 3620, 3640 and 3660 with no ill effects that I was able to discern - wiresharked the information highway and all that, seemed to be secure.

Right. Cisco Can’t Stop Using Hard-Coded Passwords

[vishnu]

Right. Cisco Can’t Stop Using Hard-Coded Passwords

Exactly my point; Cisco is a router horrorshow, but yet they're the best of the bunch. I reiterate, don't ever use a commercial router, they are all insecure.