Re: Linux server as it own firewall

From: Scott Gifford (
Date: 09/14/01

Subject: Re: Linux server as it own firewall
From: Scott Gifford <>
Date: 13 Sep 2001 22:10:55 -0400
Message-ID: <>

Seth Arnold <> writes:

> On Wed, Sep 12, 2001 at 01:25:21PM -0400, James Puckett wrote:
> > I am considering having the firewall for a Linux server I am building
> > running on the server itself using IPTables.
> Every time someone mentions firewalls, I always think of a quote I heard
> once: "Firewalls are a symptom of broken hosts". (Anyone who knows the
> original source of this quote, please let me know privately. :)

Firewalls are another layer of protection for broken hosts. Mistakes
are made, and a good firewall can stop them from becoming fatal ones.
I used to work at a place that ran everything wide-open on the
Internet, and we did a lot of work to keep everything secure.
Nonetheless, a monitoring machine somehow fell off of our list of
machines to keep up-to-date with security patches, and was

Many client-only machines run services they don't even know about, and
this also provides protection against that. For example, many ISPs
said users infected with CodeRed didn't even install IIS on their
machines; apparently some other applications take it upon themselves
to install IIS without warning you. Windows filesharing is difficult
to disable, and has been the source of security problems in the past.
Securing an NT machine at work, I found 10 different ports listening,
all by random applications that felt the need to listen on Internet

They make it easier to experiment inside your network. You can set up
a copy of apache on your workstation to play with, without worrying
about locking it down right away.

And they're a good part of "security in depth", making sure that you
have multiple layers of security so that if one is broken you're not

The security in depth philosophy would also recommend a dedicated
firewall. Eventually, the machine will crash, and need to have the OS
reinstalled, and unless you're very careful, will have an insecure
setup. Probably, this will be in a crisis moment, and you'll worry
more about getting the services on the machine back up before worrying
about getting the firewall working, leaving you more exposed.

I would recommend that you buy a cheap firewall box. The router you
use to connect to the Internet can probably provide adequate
firewalling capabilities. For less than 10MB of bandwidth, many cheap
$300 consumer-grade firewalls should probably work just fine (make
sure it supports stateful packet inspection); a dedicated OpenBSD or
other UNIX machine can handle a bit more than that. For a bit more,
you can get a firewall and load-balancer combined, and improve your
reliability while improving your security.