firewalls and webservers request for comments

[Frank Wiles]

On Thu, 7 Oct 2004 16:38:58 -0500
"Brian Densmore" <DensmoreB at ctbsonline.com> wrote:

> Ok, y'all know I've got me one of them thar webservers
> out there in the WWWild. I run a minimal firewall (aka
> iptables). I'm wondering though what the consensus is
> on running a full-blown firewall like say IPCop on a
> server that is a busy box. My webserver is also a mail
> server and naturally a webmail server. What are the benefits
> of say adding a second box and running a full-metal jacket
> firewall like IPCop, and can you run a webserver/mailserver
> on the same box as IPCop (that is without ripping out the 
> guts of IPCop so it's no longer  an IPCop version but some 
> chopped up hacked up Frankenstein monster)?

  If you are only running the services you need to be running and
  have locked down your system fairly well a firewall, either
  internal or external, is mostly pointless. 

  If you're running an E-mail server and WWW server you'll need
  the following ports open: 

  25 SMTP 
  80 WWW
  110 POP3
  143 IMAP 

  Possibly some others for SSL encrypted POP, IMAP, WWW and possibly
  SSHD if you're going to do remote administration. 

  Putting a firewall in front of this box, or using iptables, is 
  mostly a waste of time because you'll need all of these ports open
  to most every Internet IP address anyway or they can't provide their
  services. 

  Firewalls aren't a magic bullet. Most every service you run on a
  Linux box can be IP restricted on it's own or if not you can use
  iptables to do this.  That's all firewalls really do IP restrict
  who can access what ports.

  Considering most, if not all, of your services need to accessible
  from the entire Internet I wouldn't worry about a firewall. 

 ---------------------------------
   Frank Wiles <frank at wiles.org>
   http://www.wiles.org
 ---------------------------------