2 quick firewall questions for FreBSD

Erik Norgaard norgaard at locolomo.org
Sun Jan 30 05:16:21 PST 2005

Andy Firman wrote:
> First, if one were to deploy FreeBSD 5.3 as a standard
> web and email server, would it need a firewall?
> I don't see the point because only ports like 25 for 
> smtp, 110 for pop, 80 for http, etc... will be listening
> and open for connections with or without a firewall.

You always should use a firewall. You may run other services that may 
bind to ports on all interfaces, eg syslog, mysql, or others. Having a 
firewall will protect you against accidental misconfigurations of 
services that should only be accessible locally.

You may argue that your server is behind a routing firewall, but that 
argument only holds if there are no other servers. Otherwise you are at 
risk that if one server is compromised, the others fall easily thereafter.

The point is to use layers of security and filtering both on network 
routers/firewalls and on individual hosts, to obtain finegrained control 
and prevent a compromise from propagating.

Cheers, Erik

Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list