From owner-freebsd-questions@FreeBSD.ORG  Sun Jan 30 13:16:21 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 787BA16A4CF
	for <freebsd-questions@freebsd.org>;
	Sun, 30 Jan 2005 13:16:21 +0000 (GMT)
Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es
	[62.174.254.182])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7186643D2F
	for <freebsd-questions@freebsd.org>;
	Sun, 30 Jan 2005 13:16:20 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32])
	by top.daemonsecurity.com (Postfix) with ESMTP id AB46FFD022;
	Sun, 30 Jan 2005 11:39:29 +0100 (CET)
Message-ID: <41FCB95D.9000808@locolomo.org>
Date: Sun, 30 Jan 2005 11:39:25 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050127
X-Accept-Language: en, en-us, da, it, es
MIME-Version: 1.0
To: Andy Firman <andy@firman.us>
References: <20050129215051.GA28318@akroteq.com>
In-Reply-To: <20050129215051.GA28318@akroteq.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: 2 quick firewall questions for FreBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jan 2005 13:16:21 -0000

Andy Firman wrote:
> First, if one were to deploy FreeBSD 5.3 as a standard
> web and email server, would it need a firewall?
> I don't see the point because only ports like 25 for 
> smtp, 110 for pop, 80 for http, etc... will be listening
> and open for connections with or without a firewall.

You always should use a firewall. You may run other services that may 
bind to ports on all interfaces, eg syslog, mysql, or others. Having a 
firewall will protect you against accidental misconfigurations of 
services that should only be accessible locally.

You may argue that your server is behind a routing firewall, but that 
argument only holds if there are no other servers. Otherwise you are at 
risk that if one server is compromised, the others fall easily thereafter.

The point is to use layers of security and filtering both on network 
routers/firewalls and on individual hosts, to obtain finegrained control 
and prevent a compromise from propagating.

Cheers, Erik

-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2