From owner-freebsd-questions  Sun Aug 12 21:30:50 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from inconnu.isu.edu (inconnu.isu.edu [134.50.8.55])
	by hub.freebsd.org (Postfix) with ESMTP id 4007437B408
	for <freebsd-questions@FreeBSD.ORG>; Sun, 12 Aug 2001 21:30:34 -0700 (PDT)
	(envelope-from galt@inconnu.isu.edu)
Received: from localhost (galt@localhost)
	by inconnu.isu.edu (8.11.2/8.11.2) with ESMTP id f7D4UU531474;
	Sun, 12 Aug 2001 22:30:31 -0600
Date: Sun, 12 Aug 2001 22:30:30 -0600 (MDT)
From: John Galt <galt@inconnu.isu.edu>
To: =?iso-8859-1?q?Keith=20Spencer?= <bsd2000au@yahoo.com.au>
Cc: Tabor Kelly <pdxmax@dsl-only.net>,
	fbsd <freebsd-questions@FreeBSD.ORG>
Subject: Re: Separate firewall or not?
In-Reply-To: <20010810004637.15724.qmail@web12004.mail.yahoo.com>
Message-ID: <Pine.LNX.4.33.0108122228390.14442-100000@inconnu.isu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, 10 Aug 2001, Keith Spencer wrote:

>Hi Tabor,
>Thanks! If I don't remove the compiler can I restrict
>it? Can I stop shell accounts?

#chown root path/to/gcc
#chmod 700 path/to/gcc
#rm path/to/adduser

>Do I put DNS on the firewall or behind it?
>Thanks
>keith
>
>--- Tabor Kelly <pdxmax@dsl-only.net> wrote: > IMHO
>you should use a separate firewall. I wouldn't
>> take your compiler
>> off of it, it makes certain tasks very difficult
>> (like building a new
>> kernel).
>>
>> Personally, I leave one thing on my firewall: sshd.
>>
>> There are many reasons not to use a normal server as
>> a firewall, one
>> large one is that, you only need 2 accounts on a
>> firewall: root, and
>> one user account. On a webserver you frequently have
>> many, many
>> account, all of which can be used against you!
>>
>> Note: I am not a network security expert, though I
>> like to pretend
>> that I know a little bit about security.
>>
>> On Thursday, August 09, 2001, 4:57:28 PM, Keith
>> wrote:
>>
>> Hi all,
>> sorry to repeat but I am in the middle of an urgent
>> anti-hacking rebuild.
>> Should I build a separate preimeter firewall machine
>> with only that on it...restrict/remove compilers etc
>> (how do I do that?) and have the router/dns/web/wail
>> server inside the perimeter.
>> OR
>> should I simply put IPFW on the router/dns/web/mail
>> server?
>> Any ideas guys?
>> Tjhanks
>> Keith
>>
>>
>_____________________________________________________________________________
>> http://shopping.yahoo.com.au - Father's Day Shopping
>> - Find the perfect gift for your Dad for Father's
>> Day
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-questions" in the body of
>> the message
>>
>>
>
>_____________________________________________________________________________
>http://shopping.yahoo.com.au - Father's Day Shopping
>- Find the perfect gift for your Dad for Father's Day
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>

-- 
There is no problem so great that it cannot be solved with suitable
application of High Explosives.

Who is John Galt?  galt@inconnu.isu.edu, that's who!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message