From owner-freebsd-questions Wed Oct 23 1:22:51 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2382C37B401 for ; Wed, 23 Oct 2002 01:22:50 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51F2A43E75 for ; Wed, 23 Oct 2002 01:22:49 -0700 (PDT) (envelope-from la3sg@sensewave.com) Received: from me (217-13-29-172.dd.nextgentel.com [217.13.29.172]) by mail.broadpark.no (Postfix) with ESMTP id DC9AB8155; Wed, 23 Oct 2002 10:21:01 +0200 (MEST) From: "Kjell" To: James Date: Wed, 23 Oct 2002 09:21:06 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Does a web server need ipfw? Reply-To: la3sg@sensewave.com Cc: freebsd-questions@freebsd.org Message-ID: <3DB66A02.1947.30960E@localhost> In-reply-to: <20021022165521.GC148@work.ab.hsia.telus.net> References: <200210221211.52532.jrhoden@unimelb.edu.au>; from jrhoden@unimelb.edu.au on Mon, Oct 21, 2002 at 20:11:52 -0600 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On 2002.10.21 20:11 Jacob Rhoden wrote: > > On Tue, 22 Oct 2002 03:43, James wrote: > > > I'm just wondering if most web servers don't run a firewall? We've > > > setup a FreeBSD web server without ipfw running, and I don't really > > see > > > any reason to run ipfw since the only services I have running are > > httpd > > > and sshd. We have also attempted to secure the machine in the other > > > typical ways. > > > > As others have said, you dont really need to, but it is a good idea, > > and does > > add an extra layer of protection. One example of this would be, if you > > web > > server is compromised, and the user gets access as 'httpd' but not as > > root. > > Having a firewall will prevent them malicious activity, such as using > > your > > machine to launch a DOS attack against another machine, and prevent > > them > > running a daemon that allows them to connect to your machine on > > another port. > > > > So you dont need a firewall, but it does make your machine alot more > > safe if > > you do. > > > > The other option, is you can set the kernel secure level so that users > > cannot > > modify the kernel or the firewall rules to get around your security, > > without > > having local access to the machine. > > > > > I appreciate all the input! I think I will be putting up ipfw > afterall! I see now that the benefits far outweigh the small amount of > time it takes to setup ipfw. I imagine there wouldn't be any > noticeable effects to performance either. > Have a look at http://www.schlacter.net:8500/public/FreeBSD- STABLE_and_IPFILTER.html Kjell > James > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message