Re: Shorewall for web server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Cary Hart wrote:


Is it safer to run shorewall on another computer behind the firewall?

Shorewall is what configures your firewall, it's done on the same
computer.


I'd be interested in any information - eg pointers to documentation -
on making a home web-server secure (or more secure, at least).

The basic advice is to run something separate as a firewall between the
WWW and you.  If you wanted to be really safe, and run a public web
server, then you'd run the web server on a separate box, too.

I'm not entirely sure how much a firewall has to do with this. It's a matter of
how the firewall is used. No need for Shorewall IMO.

Sure you don't need shorewall. Sure you can write all your programs in Assembler for your CPU.

Shorewall, like your compiler of choice, provides a more concise means of expressing your intent.

I use shorewall myself, and I'm way more confident of the outcome than I'd be using iptables directly.

The issue becomes who to block, how and for how long.
One option is to do this via snort (there are several methods of triggering
firewall rules).

On my systems I have mail (coming and going) and www open to all. And ssh, but I limit ssh to a small range of IP addresses in /etc/hosts.allow and/or /etc/hosts.deny.

Simple cases don't require a firewall at all (I have more needs than I've disclosed here). If a port's not open on your external interface, nobody's going to connect to it. If you're supplying a public service (http, receiving mail etc) then ports supporting those services have to be open on the external interface and unblocked.

In my case, ssh has to be open, but not _that_ open.

--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux