Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> writes:
for instance a box running ROOTer [1] (a version of DD-WRT) [...] I am of the view that the public IP (or carrier grade NAT IP), should not be public facing directly on equipment that /may/ have any kind of vulnerable component [...] Linux.
Um, DD-WRT isn't a magically invincible Linux distro just because it targets embedded systems. I have no cite, but ISTR hearing about the DD-WRT developers releasing a stable release that allowed full admin access by default from one of their for-profit customers' IP addresses. And their response was "oh that was a mistake, but it's totally fine to keep running it, because I happen to know that address isn't in use at the moment." That said, if you have >1 host it's reasonable to put them all behind a single bastion.