Re: Linux server as it own firewall

From: Mogens Valentin (monz@danbbs.dk)
Date: 09/13/01 

Message-ID: <3B9FF2AF.1C8DFDF2@danbbs.dk>
Date: Thu, 13 Sep 2001 01:41:35 +0200
From: Mogens Valentin <monz@danbbs.dk>
To: jpuckett@ticom.com
Subject: Re: Linux server as it own firewall

James Puckett wrote:
> I am considering having the firewall for a Linux server I am
> building running on the server itself using IPTables. This server will
> see very little load, so performance will probably not be an issue. What
> I am wondering is, what are the implications of having a Linux box on the
> internet running its own firewall? ...

Depends on how well you know iptables and how to secure a server even
without a firewall.
A firewall still has to allow a range of services, rules against all
kinds of things or not. If the server itself is inadequately secured, a
firewall will not be enough.
So yes, you _may_ safely run services on a firewall, provided you
configure every service carefully (which you will want to do anyway..).
The real safe thing to do is of course a dedicated firewall. YMMV...

It's possible to secure a Linux server pretty well even without a
firewall. At a former job, 12 online servers had no firewall, but were
secured by removing unvanted services, only letting needed services run,
using no telnet or r* services at all, only connecting with ssh, proper
use of hosts.deny/allow, setting up egress filtering in /proc, and so
forth.
A Vigilante security test deemed the setup 'very secure'.

Bear in mind though, that a security testing company has a limited
timeframe for those penetration tests; a cracker may have lots of time
to come back at irrigular intervals, making it harder to detect a
pattern. 

-- 
Regards,
           Mr Dev - Mogens Valentin
    http://www.mrdev.com - mrdev@danbbs.dk
OpenSource Security - Networking - Programming

Relevant Pages

  • Re: Firewall - Limit Geographic Area
    ... Firewall - Limit Geographic Area ... > times more secure than a Microsoft Windows machine can be). ... Redhat is conservative about what they release ... > - do not reuse passwords between your server and, say, random ...
    (RedHat)
  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Securing a Terminal Services user
    ... Add these users to a group and implicitly deny this group access to any ... applications, i.e. Citrix Secure Gateway, Web Interface & publish the exact ... I am setting up a TS server inside my firewall. ...
    (microsoft.public.windows.terminal_services)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)