David Cary Hart wrote:
Is it safer to run shorewall on another computer behind the firewall?
Shorewall is what configures your firewall, it's done on the same
computer.
I'd be interested in any information - eg pointers to documentation -
on making a home web-server secure (or more secure, at least).
The basic advice is to run something separate as a firewall between the
WWW and you. If you wanted to be really safe, and run a public web
server, then you'd run the web server on a separate box, too.
I'm not entirely sure how much a firewall has to do with this. It's a matter of
how the firewall is used. No need for Shorewall IMO.
Sure you don't need shorewall. Sure you can write all your programs in
Assembler for your CPU.
Shorewall, like your compiler of choice, provides a more concise means
of expressing your intent.
I use shorewall myself, and I'm way more confident of the outcome than
I'd be using iptables directly.
The issue becomes who to block, how and for how long.
One option is to do this via snort (there are several methods of triggering
firewall rules).
On my systems I have mail (coming and going) and www open to all. And
ssh, but I limit ssh to a small range of IP addresses in
/etc/hosts.allow and/or /etc/hosts.deny.
Simple cases don't require a firewall at all (I have more needs than
I've disclosed here). If a port's not open on your external interface,
nobody's going to connect to it. If you're supplying a public service
(http, receiving mail etc) then ports supporting those services have to
be open on the external interface and unblocked.
In my case, ssh has to be open, but not _that_ open.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list