Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Oct 2002 10:55:21 -0600
From:      James <mailinglists@telus.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Does a web server need ipfw?
Message-ID:  <20021022165521.GC148@work.ab.hsia.telus.net>
In-Reply-To: <200210221211.52532.jrhoden@unimelb.edu.au>; from jrhoden@unimelb.edu.au on Mon, Oct 21, 2002 at 20:11:52 -0600
References:  <20021021174350.GC213@work.ab.hsia.telus.net> <200210221211.52532.jrhoden@unimelb.edu.au>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2002.10.21 20:11 Jacob Rhoden wrote:
> On Tue, 22 Oct 2002 03:43, James wrote:
> > I'm just wondering if most web servers don't run a firewall?  We've
> > setup a FreeBSD web server without ipfw running, and I don't really
> see
> > any reason to run ipfw since the only services I have running are
> httpd
> > and sshd.  We have also attempted to secure the machine in the other
> > typical ways.
> 
> As others have said, you dont really need to, but it is a good idea,
> and does
> add an extra layer of protection. One example of this would be, if you
> web
> server is compromised, and the user gets access as 'httpd' but not as
> root.
> Having a firewall will prevent them malicious activity, such as using
> your
> machine to launch a DOS attack against another machine, and prevent
> them
> running a daemon that allows them to connect to your machine on
> another port.
> 
> So you dont need a firewall, but it does make your machine alot more
> safe if
> you do.
> 
> The other option, is you can set the kernel secure level so that users
> cannot
> modify the kernel or the firewall rules to get around your security,
> without
> having local access to the machine.
> 


I appreciate all the input! I think I will be putting up ipfw 
afterall!  I see now that the benefits far outweigh the small amount of 
time it takes to setup ipfw.  I imagine there wouldn't be any 
noticeable effects to performance either.

James

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021022165521.GC148>