Re: Firewalls: what's the use?
From: Travis Casey (efindel_at_earthlink.net)
Date: 12/13/03
- Next message: /dev/rob0: "Re: Firewalls: what's the use?"
- Previous message: €®ik: "Re: Firewall Script"
- In reply to: Gabriel: "Firewalls: what's the use?"
- Next in thread: Gabriel: "Re: Firewalls: what's the use?"
- Reply: Gabriel: "Re: Firewalls: what's the use?"
- Reply: Chris Shepherd: "Re: Firewalls: what's the use?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Dec 2003 21:57:31 GMT
Gabriel wrote:
> This is my scenario: I'm running a 24/7 Apache web server with MySQL
> and PHP on Linux Red Hat 9.0. The only ports that I have opened are 80
> (http) and 22 (ssh). From one of the web pages on the web server it is
> possible to send mail via a form but port 25 on my system only allows
> local connections and it is not possible to connect to it from the
> outside, just to send mail from the inside.
>
> Since it is a web server I obviously need to allow traffic from anyone
> to port 80. Now to my question: why do I need a firewall?
Not everyone needs one. If you can do all the limiting of services you want
to through other means, then you don't need one.
A few semi-random questions, though:
- Have you verified that those are the only open ports through a scan from
another network?
- Have you verified that your mail server really does reject non-local
connections?
- Is there anyone else who uses the system?
- Is this the only system on your network?
- Are you using any sort of automatic update? E.g., "up2date" run through a
script periodically?
The basic thing that a firewall does is limit what you have to worry about.
With a properly-configured firewall, there's fewer worries about things
like a user installing and running a backdoor program, or an automatic
update changing your mail server configuration to allow connections from
anywhere (or installing a new service!). With multiple computers, it may
be easier to limit things through one firewall than by configuring each
machine. And with many users, you might want to limit where some users can
go.
> If there are no open ports on my system there is nothing to hack? Am I
> wrong? I know that it is possible to attack the server through port 80
> with "disguised" data, but a firewall won't stop that anyway so why do
> I need one?
An application-level firewall conceivably could. There's more than one type
of firewall.
Note as well that a firewall can limit outgoing connections. On a pure
server, it may be desirable to limit outgoing connections to ones that you
know the server should be making... so that if someone does manage to break
in through a hole in a service, their ability to use your machine as a
launching point for attacks on other systems is limited.
> I guess it could be useful to restrict SSH-access only to
> one or two IP numbers but it seems like overkill to implement a
> firewall just because of that.
You should be able to do that through the SSHD config files.
> Forgive my stupidity and please tell my why I need a firewall.
It's possible that you don't. Not everyone does. Note, though, that if you
have the time to spend, having an extra layer of security is not
necessarily a bad thing... it can protect against mistakes in
configuration, if nothing else.
--
ZZzz |\ _,,,---,,_ Travis S. Casey <efindel@earthlink.net>
/,`.-'`' -. ;-;;,_ No one agrees with me. Not even me.
|,4- ) )-,_..;\ ( `'-'
'---''(_/--' `-'\_)
- Next message: /dev/rob0: "Re: Firewalls: what's the use?"
- Previous message: €®ik: "Re: Firewall Script"
- In reply to: Gabriel: "Firewalls: what's the use?"
- Next in thread: Gabriel: "Re: Firewalls: what's the use?"
- Reply: Gabriel: "Re: Firewalls: what's the use?"
- Reply: Chris Shepherd: "Re: Firewalls: what's the use?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
