Re: Linux server as it own firewall

From: Ross Del Duca (
Date: 09/13/01

Date: Wed, 12 Sep 2001 19:49:05 -0700
From: Ross Del Duca <>
Subject: Re: Linux server as it own firewall
Message-Id: <>

On Wed, 12 Sep 2001 13:25:21 -0400
James Puckett <> wrote:

> All,
> I am considering having the firewall for a Linux server I am building
> running on the server itself using IPTables. This server will see very little
> load, so performance will probably not be an issue. What I am wondering is,
> what are the implications of having a Linux box on the internet running its
> own firewall? The way I see it, if someone can manage to break into a locked
> down firewall, he will not have too many problems getting into the machines
> behind the firewall.

I personally use this configuration for my web servers. One of the advantages I see is that, by moving the security mechanisms (i.e. firewall) to the indivudial servers - you remove the potential 'single point of failure' of a network based firewall. Given that IPTables is integrated into the kernel itself, if the firewall should fail, it is a safe bet that there are problems with the services running on that machine anyhow.

> On the other hand, if the attacks take a while to go
> off, the extra time it takes to get into the server behind the FW could be
> what saves the server if the intrusion is detected. I also wonder about the
> obvious problem of having extra daemons on the firewall adding to the number
> of exploitable holes on one machine.

I don't really see the problem with extra deamons running. A given server would (should?) only have the deamons running that are necessary for the services that it is providing. If these are publically available services, then the firewall would have to let in traffic to those services anyhow. Just follow the standard first axiom of security: "If you don't need it, don't run it..."

> Overall I am really against the idea, but in the long run working this way
> could save some money, and if it looks like the system won't be made too
> insecure this could be a viable idea.

I think this is the cruz. By moving the firewalling to indivudial servers, you 1) don't need a dedicated firewall machine(s) 2) can isolate specific machines so that only specific services can get through (both from internal and external traffic - if that is an issue) and 3) Spread the firewalling load (which is really not much on most any machine) to only those machines immediately effected by a given rule.

Of course, on the other hand, the administrative duties are increased by this approach. Again, just follow the basic axiom. With many security mechanisms, it is deny all - oh yea, except this and this. With IPtables, it allow this, this and that. If else, then, well too bad.....

Relevant Pages

  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for ... use a static IP and set the DNS server addresses to the DNS ...
  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...