On Wed, 2005-12-28 at 00:04 +0000, Timothy Murphy wrote: > I still don't really see any great advantage > in running the web-server on a different machine to the firewall. > Can one not restrict the part of the computer > accessible through the web-server in a reasonably secure way? It's just another step towards greater security. A firewall will only allow the traffic that you want, and it can block things in different ways (if you want) that a web server doesn't/mayn't have features to do. Not just blocking incoming connections to your system, but blocking any exploits they make of your server back to the outside world. > Actually, everything available through the web-server is fully backed > up, so it would not be any great loss if someone hacked this. > On the other hand, I would be upset if someone hacked into > the main part of the computer running the firewall. If someone hacks into a firewall PC with no servers on it, they're a bit lost. They can't do much more than look at whats on it. But if they break into a box with servers, then they've got more opportunities to make a nuisance of themselves. Both to you, and to others through you. In the latter case, it looks like it is you harming others, and you might have to wear the responsibility of it. Spam may be the least of your problems, they might carry out illegal acts through you. -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
