Re: Linux firewall questions

From: Thomas Hertel (Thomas.Hertel_at_gmx.net)
Date: 01/26/04

• Next message: Erik: "Re: Installing IPTables: not very clear howto"
• Previous message: Thomas Hertel: "Re: Zone Alarm & Wireless LANs"
• In reply to: Devdas Bhagat: "Re: Linux firewall questions"
• Next in thread: Ken: "Re: Linux firewall questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 26 Jan 2004 20:59:10 +0100

Devdas Bhagat <devdas@users.sourceforge.net> schrieb:

>On Wed, 21 Jan 2004 23:52:47 +0100, Wolfgang Kueter <wolfgang@shconnect.de>
>poured into the usenet group comp.security.firewalls:
>> Thomas Hertel wrote:
>>
>>> mrea@ohiotravelbag.com (Mike) schrieb:
>>
>>>>2. What issues do I have with my e-mail and web server all being run
>>>>on the same box as my firewall.
>>>
>>> This is the real issue, and it is independent of the O/S. As soon as
>>> one of the services you run on your firewall box proves to be
>>> vulnerable, so is your firewall. Specifically, running mail and web
>>> servers on such a machine does not sound like a good idea to me. It is
>Depending on the mail service itself. Running an ALG is a good idea,
>particularly if you hook AV into it. If this is full fledged
>pop3/imap/SMTP/webmail gateway, then this is a bad idea.
>
>>> good practice not to run any services on such a machine. Better get
>>> another NIC, build a DMZ and place any public servers/services there.
>>
>> I'd go even further and simply not call a machine offering public services a
>> firewall.
>Proxies? They do offer a limited subset of public services.

Right. As such, they can be part of a firewall if we think of a
firewall being a concept rather than a piece of hardware or software.

Thomas

-- 
"The opinions expressed herein are subject to change without notice"
Aus dem Copyright-Vermerk einer Studie der Gartner Group
Email für Non-Spam: Meine_Initialen_bei_arcendo_punkt_com

---

• Next message: Erik: "Re: Installing IPTables: not very clear howto"
• Previous message: Thomas Hertel: "Re: Zone Alarm & Wireless LANs"
• In reply to: Devdas Bhagat: "Re: Linux firewall questions"
• Next in thread: Ken: "Re: Linux firewall questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: TFP-6.5.52 Prevents all DiamondCS APT attemps ... So all firewall vendors have carte blanche to post their ... One meaning of spam is commercial advertising on Usenet by ... is not a usenet group, ... time use quote marks around direct quotes, although I doubt if you are ... (comp.security.firewalls) Re: Is a firewall required... ... but I don't provide public services through a cheap NAT ... a real firewall - neither a Linksys or a MS SP2 service are firewalls. ... start reading about securing IIS and the OS in order to keep your machine ... (comp.security.firewalls) Re: Why you have hardware firewalls ... >> blocking IP Ranges of countries that you don't need to allow inbound to ... > I have a Sonicwall TZ-170 firewall. ... Yea, but those countries support spamming, so your complaint won't do any ... have many IP addresses that expose public services, ... (comp.security.firewalls) Re: Hardening VS firewalling ? ... Or not have to worry about the firewall or having one at ... > all and concentrate on applying best practices to OS/APPS and making ... I would say, hardening the boxes. ... public services from particular ips. ... (Security-Basics) Re: Linux firewall questions ... > Thomas Hertel wrote: ... >> vulnerable, so is your firewall. ... Specifically, running mail and web ... They do offer a limited subset of public services. ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2004-01