Re: are IPTABLES good enough security for a webserver

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 04/04/03

• Next message: Hyochang Nam: "Q] Privileged Process Hijacking Vulnerability"
• Previous message: Nico Kadel-Garcia: "Re: Can allowing ftp compromise security?"
• In reply to: Grant Holman: "are IPTABLES good enough security for a webserver"
• Next in thread: Alan Frame: "Re: are IPTABLES good enough security for a webserver"
• Reply: Alan Frame: "Re: are IPTABLES good enough security for a webserver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Fri, 04 Apr 2003 16:05:13 +0200

Grant Holman wrote:
>
> Will IPTABLES act as a secure enough firewall for a web server or should I
> be looking at a dedicated 3rd party firewall packge?

AFAIK most firewall software for Linux is merely frontends for ipchains
or iptables. Learning to write your iptables ruleset by hand usually
gives you a better result than any of those frontends would.

If you are looking for an alternative to iptables, you should be
looking for dedicated hardware. Of course iptables on a dedicated
computer is an option. Compared to running iptables on the webserver
itself both solutions have a few advantages and disadvantages.

It is a possibility to use a hardware box only designed for acting as
router/firewall in front of a webserver configured with iptables.

But whatever you choose to do, you should still configure the
webserver in a way that would be secure even without any firewall. No
firewall however good it may be, will secure you if you don't keep
your webserver software updated.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:aaarep@daimi.au.dk
for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);

---

• Next message: Hyochang Nam: "Q] Privileged Process Hijacking Vulnerability"
• Previous message: Nico Kadel-Garcia: "Re: Can allowing ftp compromise security?"
• In reply to: Grant Holman: "are IPTABLES good enough security for a webserver"
• Next in thread: Alan Frame: "Re: are IPTABLES good enough security for a webserver"
• Reply: Alan Frame: "Re: are IPTABLES good enough security for a webserver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Feedback solicited - best way to harden a mail/web server? ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ... (comp.os.linux.security) Re: EMERGENCY - need to secure my server against an ongoing SPAMMER ... computer with a broadband connection. ... that IP range will prevent that spammer from wasting your systems ... This approach eventually makes your firewall machine so busy it has ... A better approach is to use IPTables to deny ALL inbound attempts to ... (Fedora) linux - iptable firewall DNS question ... When my firewall is active, i am unable to use name solving features from my ... iptables -P INPUT ACCEPT ... # $ipnet -> adresse ip de l'interface connectée à internet ... echo ACCES AU FIREWALL DEPUIS LOCAL ... (comp.security.firewalls) Re: Wrt54G is a FW appliance? ... >can be considered as fully secure. ... >> calls it a firewall, that is not what makes it a firewall. ... an IPtables implementation on one device... ... (comp.security.firewalls) Re: firestarter start failure? ... It writes to iptables firewall rules, and then is done, ... unless gui is open. ... Do I have to start Firestarter after I have rebooted? ... When Firestarter is installed from a package, the firewall ... (Ubuntu)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)