From owner-freebsd-questions Mon Oct 21 12: 0:16 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0ECFA37B401 for ; Mon, 21 Oct 2002 12:00:15 -0700 (PDT) Received: from chivas.oneill.dhs.org (chivas.oneill.dhs.org [65.65.85.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66CEB43E6A for ; Mon, 21 Oct 2002 12:00:14 -0700 (PDT) (envelope-from sean@seanoneill.info) Received: from v812r.seanoneill.info (dhcp1.NONROUTABLE [192.168.2.1]) by chivas.oneill.dhs.org (Postfix) with ESMTP id 670FA767D; Mon, 21 Oct 2002 14:00:09 -0500 (CDT) Message-Id: <5.1.0.14.0.20021021134814.07242e28@postoffice.swbell.net> X-Sender: swoneill@postoffice.swbell.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 21 Oct 2002 14:00:07 -0500 To: James , freebsd-questions@FreeBSD.org From: Sean O'Neill Subject: Re: Does a web server need ipfw? In-Reply-To: <20021021174350.GC213@work.ab.hsia.telus.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 11:43 AM 10/21/2002 -0600, James wrote: >Hello, > >I'm just wondering if most web servers don't run a firewall? We've setup >a FreeBSD web server without ipfw running, and I don't really see any >reason to run ipfw since the only services I have running are httpd and >sshd. We have > ... are httpd and sshd Famous last words. Just wait until your requirements change and somebody says this and that have to now run on that machine at the last minute. >also attempted to secure the machine in the other typical ways. > >Are there vulnerabilities that this web server is open to by not running a >firewall? One of the nice things about running a firewall is better control. Without running a firewall package in front of or on the machine ... you have NONE. An example of a good use of running a firewall is ... I have ProFTP running on my "machine" at all times with anonftp setup but you can't to it because my IPFilter config explicitly blocks access to it. When I need to allow someone into my machine to transfer something - I update my ipf.conf file by uncommenting two line, adjust for IP address allowed in for FTP, and reload rules. When they are done, comment out the two line and reload. I could setup a SSH account and change the password when they are done transferring but SSH is too slow for transfers and I occasionally get stuff from Windows users and many have never heard of SSH. -- ........................................................ ......... ..- -. .. -..- .-. ..- .-.. . ... ............ .-- .. -. -... .-.. --- .-- ... -.. .-. --- --- .-.. ... Sean O'Neill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message