From owner-freebsd-questions Tue Nov 19 1:49:39 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3653B37B401 for ; Tue, 19 Nov 2002 01:49:37 -0800 (PST) Received: from mail.silverwraith.com (apple.silverwraith.com [212.25.240.44]) by mx1.FreeBSD.org (Postfix) with SMTP id 7229E43E88 for ; Tue, 19 Nov 2002 01:49:34 -0800 (PST) (envelope-from lists-freebsd@silverwraith.com) Received: (qmail 3166 invoked by uid 1000); 19 Nov 2002 09:49:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Nov 2002 09:49:32 -0000 Date: Tue, 19 Nov 2002 09:49:32 +0000 (GMT) From: Avleen Vig X-X-Sender: avleen@apple.silverwraith.com To: Pierrick Brossin Cc: Giorgos Keramidas , Greg 'groggy' Lehey , "freebsd-questions@FreeBSD.ORG" Subject: Re: FreeBSD Easy Server In-Reply-To: <1037698206.3dda049e32874@www.swissgeeks.com> Message-ID: <20021119093610.G53207-100000@apple.silverwraith.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Errrr.. > > The only real benefits you get from a firewall are: > > 1) controlling which IP addresses can access a service > > 2) *maybe* bandwidth shaping. *maybe*. > > 3) packet re-writing. > > That's all ? That's all really! > I thought the firewall was THE thing to have when you have a server which is > running 24 jours a day, 365 days per year! I don't mean any disrespect Pierrick, but it sounds like you're following what other people are telling you without really understanding it. Please read a coupel of the others emails I sent after the above one, and you'll see why having a firewall may or may not be useful. If it's not useful then don't use it. It won't help! Maybe one thing I forgot that a firewall can do, is watch and log inbound connections, but something like an Intrution Detection System (IDS) is better at that. And it can log hack-in attempts and other nasties. Snort is a good lightweight IDS. www.snort.org. > I'm considering myself as a newbie under FreeBSD for the moment so I may be > wrong about the next point but what you telling me is that I can restrict access > to certain services to certains IPs ? > So I would use the config file of each service to say this one can access, let's > samba .. this one cant (interfaces=... in smb.conf if I remember correctly). Yes. Also look at 'man 5 hosts_access'. the file /etc/hosts.allow can be configured to allow or deny access to services in the same way. Eg, you could have these line in /etc/hosts.allow: netbios-ns : 12.34.56.1 : allow netbios-ns : ALL : deny this would allow netbios connections to port 137 for the ip address 12.34.56.1, but deny it to everyoen else. See? No firewall needed :-) > They are Linux (ouch :D) distributions that are only firewall and don't run any > other services (like smoothwall if I'm right). > So a distribution like this one is superfluous for users like me ? It certainly sounds like it, unless you want to do lots of restrictions on who can and cannot connect to certain ports. > I own swissgeeks.com and need a little bit of security. Got a lot of > stuff running on this server and if I'm switching to FreeBSD I have to > be sure I won't get hacked, though it's always possible. Let's say I'd > like the same security as SME provides me for the moment. As known, 1 > year and a half and no problem! > This was the story :D The chances of getting hacked are higher when: There is a bug in a server that is listening on a network port, and someoen you don't want connectig to this service because you don't trust them, exploits it. The best way around this is to always keeps your installations up to date. Eg when a new apache version is released, I normally install withing 2 or 3 days after testing it on a spare machine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message