Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Oct 2002 09:21:06 +0100
From:      "Kjell" <la3sg@sensewave.com>
To:        James <mailinglists@telus.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Does a web server need ipfw?
Message-ID:  <3DB66A02.1947.30960E@localhost>
In-Reply-To: <20021022165521.GC148@work.ab.hsia.telus.net>
References:  <200210221211.52532.jrhoden@unimelb.edu.au>; from jrhoden@unimelb.edu.au on Mon, Oct 21, 2002 at 20:11:52 -0600
next in thread | previous in thread | raw e-mail | index | archive | help 
> On 2002.10.21 20:11 Jacob Rhoden wrote:
> > On Tue, 22 Oct 2002 03:43, James wrote:
> > > I'm just wondering if most web servers don't run a firewall?  We've
> > > setup a FreeBSD web server without ipfw running, and I don't really
> > see
> > > any reason to run ipfw since the only services I have running are
> > httpd
> > > and sshd.  We have also attempted to secure the machine in the other
> > > typical ways.
> > 
> > As others have said, you dont really need to, but it is a good idea,
> > and does
> > add an extra layer of protection. One example of this would be, if you
> > web
> > server is compromised, and the user gets access as 'httpd' but not as
> > root.
> > Having a firewall will prevent them malicious activity, such as using
> > your
> > machine to launch a DOS attack against another machine, and prevent
> > them
> > running a daemon that allows them to connect to your machine on
> > another port.
> > 
> > So you dont need a firewall, but it does make your machine alot more
> > safe if
> > you do.
> > 
> > The other option, is you can set the kernel secure level so that users
> > cannot
> > modify the kernel or the firewall rules to get around your security,
> > without
> > having local access to the machine.
> > 
> 
> 
> I appreciate all the input! I think I will be putting up ipfw 
> afterall!  I see now that the benefits far outweigh the small amount of 
> time it takes to setup ipfw.  I imagine there wouldn't be any 
> noticeable effects to performance either.
> 
Have a look at http://www.schlacter.net:8500/public/FreeBSD-
STABLE_and_IPFILTER.html
Kjell
> James
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB66A02.1947.30960E>