Date: Thu, 9 Aug 2001 18:09:49 -0700 From: Tabor Kelly <pdxmax@dsl-only.net> To: Keith Spencer <bsd2000au@yahoo.com.au> Cc: fbsd <freebsd-questions@freebsd.org> Subject: Re[2]: Separate firewall or not? Message-ID: <8622703475.20010809180949@dsl-only.net> In-Reply-To: <20010810004637.15724.qmail@web12004.mail.yahoo.com> References: <20010810004637.15724.qmail@web12004.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
There are ways to restrict the compiler. But I am not sure there are any useful ways to restrict it. You could give it its own user group, and restrict its privileges, but then it wouldn't be very useful. If you are going to do that you may as well take it off. If you never change the system, it won't be a problem. As for DNS, I would not run it on the firewall. As for shell accounts. You don't really want to stop shell accounts. Here is how I have my firewall set up. I have 2 accounts that can access the shell. One is root, which can only access it locally (it can not be accessed over a network). The other we will call Fred for this demonstration. Fred is a member of the group wheel. This means that Fred can become root. This is very useful if I need to change something remotely. If you wanted to you could have no user accounts at all, I guess. But this would mean that you could never log-in remotely. In which case you may as well take sshd off as well. All disclaimers apply. -Tabor On Thursday, August 09, 2001, 5:46:37 PM, Keith wrote: Hi Tabor, Thanks! If I don't remove the compiler can I restrict it? Can I stop shell accounts? Do I put DNS on the firewall or behind it? Thanks keith --- Tabor Kelly <pdxmax@dsl-only.net> wrote: > IMHO you should use a separate firewall. I wouldn't > take your compiler > off of it, it makes certain tasks very difficult > (like building a new > kernel). > > Personally, I leave one thing on my firewall: sshd. > > There are many reasons not to use a normal server as > a firewall, one > large one is that, you only need 2 accounts on a > firewall: root, and > one user account. On a webserver you frequently have > many, many > account, all of which can be used against you! > > Note: I am not a network security expert, though I > like to pretend > that I know a little bit about security. > > On Thursday, August 09, 2001, 4:57:28 PM, Keith > wrote: > > Hi all, > sorry to repeat but I am in the middle of an urgent > anti-hacking rebuild. > Should I build a separate preimeter firewall machine > with only that on it...restrict/remove compilers etc > (how do I do that?) and have the router/dns/web/wail > server inside the perimeter. > OR > should I simply put IPFW on the router/dns/web/mail > server? > Any ideas guys? > Tjhanks > Keith > > _____________________________________________________________________________ > http://shopping.yahoo.com.au - Father's Day Shopping > - Find the perfect gift for your Dad for Father's > Day > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of > the message > > _____________________________________________________________________________ http://shopping.yahoo.com.au - Father's Day Shopping - Find the perfect gift for your Dad for Father's Day To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8622703475.20010809180949>