From owner-freebsd-questions Tue Oct 22 9:43:52 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5C4C37B401 for ; Tue, 22 Oct 2002 09:43:50 -0700 (PDT) Received: from priv-edtnes03-hme0.telusplanet.net (fepout1.telus.net [199.185.220.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37A4943E42 for ; Tue, 22 Oct 2002 09:43:50 -0700 (PDT) (envelope-from mailinglists@telus.net) Received: from work.kunfu-lui.net ([142.179.173.206]) by priv-edtnes03-hme0.telusplanet.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20021022164349.OURJ5285.priv-edtnes03-hme0.telusplanet.net@work.kunfu-lui.net> for ; Tue, 22 Oct 2002 10:43:49 -0600 Date: Tue, 22 Oct 2002 10:55:21 -0600 From: James To: freebsd-questions@freebsd.org Subject: Re: Does a web server need ipfw? Message-ID: <20021022165521.GC148@work.ab.hsia.telus.net> References: <20021021174350.GC213@work.ab.hsia.telus.net> <200210221211.52532.jrhoden@unimelb.edu.au> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200210221211.52532.jrhoden@unimelb.edu.au>; from jrhoden@unimelb.edu.au on Mon, Oct 21, 2002 at 20:11:52 -0600 X-Mailer: Balsa 2.0.2 Lines: 41 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2002.10.21 20:11 Jacob Rhoden wrote: > On Tue, 22 Oct 2002 03:43, James wrote: > > I'm just wondering if most web servers don't run a firewall? We've > > setup a FreeBSD web server without ipfw running, and I don't really > see > > any reason to run ipfw since the only services I have running are > httpd > > and sshd. We have also attempted to secure the machine in the other > > typical ways. > > As others have said, you dont really need to, but it is a good idea, > and does > add an extra layer of protection. One example of this would be, if you > web > server is compromised, and the user gets access as 'httpd' but not as > root. > Having a firewall will prevent them malicious activity, such as using > your > machine to launch a DOS attack against another machine, and prevent > them > running a daemon that allows them to connect to your machine on > another port. > > So you dont need a firewall, but it does make your machine alot more > safe if > you do. > > The other option, is you can set the kernel secure level so that users > cannot > modify the kernel or the firewall rules to get around your security, > without > having local access to the machine. > I appreciate all the input! I think I will be putting up ipfw afterall! I see now that the benefits far outweigh the small amount of time it takes to setup ipfw. I imagine there wouldn't be any noticeable effects to performance either. James To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message