From owner-freebsd-questions Mon Oct 21 14: 5: 8 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A952237B404 for ; Mon, 21 Oct 2002 14:05:06 -0700 (PDT) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB94843E65 for ; Mon, 21 Oct 2002 14:05:05 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.6/8.12.5) with ESMTP id g9LL558s030178; Mon, 21 Oct 2002 17:05:05 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.6/8.12.6/Submit) id g9LL55Cd030175; Mon, 21 Oct 2002 17:05:05 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f /etc/Fcc: ~/Mail/outgoing-mail To: James Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Does a web server need ipfw? References: <20021021174350.GC213@work.ab.hsia.telus.net> From: Lowell Gilbert Date: 21 Oct 2002 17:05:04 -0400 In-Reply-To: <20021021174350.GC213@work.ab.hsia.telus.net> Message-ID: <443cqz33lr.fsf@be-well.ilk.org> Lines: 19 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG James writes: > I'm just wondering if most web servers don't run a firewall? We've > setup a FreeBSD web server without ipfw running, and I don't really > see any reason to run ipfw since the only services I have running are > httpd and sshd. We have also attempted to secure the machine in the > other typical ways. > > Are there vulnerabilities that this web server is open to by not > running a firewall? Not specifically, no. But running a firewall would leave you in less danger if (a) you make a configuration mistake that opens up a vulnerability, or (b) a new vulnerability is discovered which *does* apply to your system. It's a belt-and-suspenders thing, but it would take so little effort to set up that I'd recommend it as a good investment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message