Lonkero, with reference to this statement
a simple rule is not to allow direct access to the box itself in any way from the outside.
and another one is to add a "trap port" from well known ports, like ssh, telnet or ftp or something that anything trying to connect to those gets blocked for five or so minutes. effectively "frustrates" any port scanners and blocks most security scanning tools
I understand the part about adding a trap port. I don't know how to do that, but I will research that.
What I am not clear on, is exactly what you mean by not allowing direct access to the box itself from the outside. As the box is visible to the Internet by virtue of a public IP Address and if the box is also used as the proxy server, then by definition one has access to the box albeit not direct. I assume that you mean you mean don't allow people to logon to the firewall from outside? Or the firewall must not act as the VPN server, but rather tunnel the VPN to a machine on the local network using a redirected port?
Basically what I am intending to do is install a very minimalist setup of Slackware. On this box, I will be using IPTables for the firewall, Dansguardian for the content filtering, and I have actually forgotten what I am intending to use for the proxy, but if memory serves, the firewall will redirect traffic from port 80 through the dansguardian content filter and then out to port whatever and allow for internet access that way.
On my windows server, I am intending to use OpenVPN to tunnel traffic from the Internet client to the network.
You also mentioned
although firewall capabilities differ and the power of the firewall is a deciding factor. and the who ever is setting it up is another.
that's why still most of the firewalls out there are set up to be full open from in to any.
I assume that you mean that people have installed a firewall, which is basically a proxy server, but they have otherwise opened all ports or do you mean something different?
Lastly what is an accelerator chip? Is it something like a video card that has an onboard cpu to handle the graphics instead of relying on the main cpu
although firewall appliances sometimes come with slower cpu they can still beat PC based systems in speed thanks to accelerator chips for things like encryption. the newer CPU's are starting to be fast enough for this not to be the case, but for example larger network topologies routed IPSEC VPNs used to choke CPUs easy...
Don't tell me that you are saying that I need to get a core i7 computer. Actually that is on my list of things to do - get a hardware spec requirement list for my slackware box.
