2 quick firewall questions for FreBSD
Erik Norgaard
norgaard at locolomo.org
Sun Jan 30 05:16:21 PST 2005
Andy Firman wrote:
> First, if one were to deploy FreeBSD 5.3 as a standard
> web and email server, would it need a firewall?
> I don't see the point because only ports like 25 for
> smtp, 110 for pop, 80 for http, etc... will be listening
> and open for connections with or without a firewall.
You always should use a firewall. You may run other services that may
bind to ports on all interfaces, eg syslog, mysql, or others. Having a
firewall will protect you against accidental misconfigurations of
services that should only be accessible locally.
You may argue that your server is behind a routing firewall, but that
argument only holds if there are no other servers. Otherwise you are at
risk that if one server is compromised, the others fall easily thereafter.
The point is to use layers of security and filtering both on network
routers/firewalls and on individual hosts, to obtain finegrained control
and prevent a compromise from propagating.
Cheers, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
More information about the freebsd-questions
mailing list