Re: Shorewall for web server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:

>>> You may not want to run a webserver on your firewall from a security
>>> standpoint, but that aside...
> 
> Timothy Murphy:
>> Is it safer to run shorewall on another computer behind the firewall?
> 
> Shorewall is what configures your firewall, it's done on the same
> computer.

Sorry, I mis-wrote yet again.
What I meant to say was: Is it safer to run a web-server (httpd)
on another computer, rather than on the machine running the firewall?

>> I'd be interested in any information - eg pointers to documentation -
>> on making a home web-server secure (or more secure, at least).
> 
> The basic advice is to run something separate as a firewall between the
> WWW and you.  If you wanted to be really safe, and run a public web
> server, then you'd run the web server on a separate box, too.
> 
> It goes without saying that the web server must be isolated from your
> LAN, for that to be of any benefit.  You route connections through your
> firewall to it, and allow it to respond back out again.  But you don't
> allow it access to any other part of your network.
> 
> That way, if someone exploits your firewall (if possible), all they do
> is muck up the firewall.  Likewise, if someone exploits the web server,
> all they do is muck it up.  They're not able to muck up your other
> terminals and servers, because they don't connect to them.

I still don't really see any great advantage
in running the web-server on a different machine to the firewall.
Can one not restrict the part of the computer 
accessible through the web-server in a reasonably secure way?

Actually, everything available through the web-server is fully backed up,
so it would not be any great loss if someone hacked this.
On the other hand, I would be upset if someone hacked into
the main part of the computer running the firewall.



-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux