I have this Linux box that I had set up as a webserver that I just use for some little stuff, and I figured I'd also get a firewall/NAT box out of it too since webserving didn't take up too much processing time. It works great, and I'm looking at tutorials on how to make really secure firewalls, but I keep reading about how a firewall should be very minimalistic for security reasons. My question is, why? As long as the other programs I'm running are secure (and they should be, I haven't had any problems since I've had it running), why would it matter? Am I missing something here? Thanks.
Firewall/Webserver Bad Idea?
- Thread starter Rainsford
- Start date
The idea that a firewall should be an absolute minimal install is good for several reasons. First off, even if your software is "secure" now, nothing says that it will be secure next week, or even later today. 
Traditionally a firewall protects multiple servers and/or clients, or even an entire network so high performance is a major issue for the firewall. Every service you have running on the firewall box besides the firewall software will take some amount of CPU time and network performance away from the firewall. Also, ideally you want the firewall box to be accessed by as few people as possible and this means not letting your web admin or db admin or whomever access the box just to "look around". If someone else has access to the machine, even if their job is only to administer one of the services then you have a security problem with your firewall.
Now if this is just for a home machine or if the firewall exists only to protect one machine then most of the above is probably thrown out the window. But if you have a web server or a database server with peoples' personal information, SSN, CC #s, etc. then you really want all that info on a separate machine from everything else.
With that said at work, our firewall is just a bridging firewall meaning that it filters traffic but it's IP-less. It's basically invisible on the network and is completely inaccessible from a network connection. There's no way to be running other services on it. But at home I have a linux box that runs SSH, an internal only web proxy (junkbuster), and occasionally whatever else I feel like playing with since security isn't top priority for me at home.
BTW Linux with iptables is actually pretty fun and the IP Masquerading howto from ipmasq.cjb.net is really really good.
Gaidin
Traditionally a firewall protects multiple servers and/or clients, or even an entire network so high performance is a major issue for the firewall. Every service you have running on the firewall box besides the firewall software will take some amount of CPU time and network performance away from the firewall. Also, ideally you want the firewall box to be accessed by as few people as possible and this means not letting your web admin or db admin or whomever access the box just to "look around". If someone else has access to the machine, even if their job is only to administer one of the services then you have a security problem with your firewall.Now if this is just for a home machine or if the firewall exists only to protect one machine then most of the above is probably thrown out the window. But if you have a web server or a database server with peoples' personal information, SSN, CC #s, etc. then you really want all that info on a separate machine from everything else.
With that said at work, our firewall is just a bridging firewall meaning that it filters traffic but it's IP-less. It's basically invisible on the network and is completely inaccessible from a network connection. There's no way to be running other services on it. But at home I have a linux box that runs SSH, an internal only web proxy (junkbuster), and occasionally whatever else I feel like playing with since security isn't top priority for me at home.
BTW Linux with iptables is actually pretty fun and the IP Masquerading howto from ipmasq.cjb.net is really really good.
Gaidin
httpds have had their problems. If someone can get into the webserver/email server/whatever its serving the machine is toast. What is your first line of defense on your perimeter (other than a router)? Your firewall. If the firewall is cracked you can say good-bye to the rest of your network (or atleast a good portion of it). In a home dsl webserver type of setup running these together wouldnt be a horrible thing, just not recommended.
Another note, when a machine gets compromised, its best to limit the damage done. If that machine is the only server doing everything on your network you will have a lot more work and more potential problems if it is cracked. If the machine is only performing one task you shouldnt have to clean up as much. I run email/web/dns all on one machine, but only one of those is accessible from the outside (home network). Its a bad idea, but there are several reasons why I have chosen to go this route over multiple machines.
Another note, when a machine gets compromised, its best to limit the damage done. If that machine is the only server doing everything on your network you will have a lot more work and more potential problems if it is cracked. If the machine is only performing one task you shouldnt have to clean up as much. I run email/web/dns all on one machine, but only one of those is accessible from the outside (home network). Its a bad idea, but there are several reasons why I have chosen to go this route over multiple machines.
Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
As long as the other programs I'm running are secure
That's the key, more services means more possible ways in. As long as you're informed and stay up to date on patches you'll be able to easily fend off probably ~90% of attack attempts you'll get (I know almost all the attempts I get are months old or automated nimda attacks).
One other thing to watch out for is how the services can interact with each other, like if you have an ftp server running along with Apache make sure there's no way I can get to Apache's CGI directory via FTP =)
Its a bad idea, but there are several reasons why I have chosen to go this route over multiple machines.
Are electric bill and heat two of them? =)
That's the key, more services means more possible ways in. As long as you're informed and stay up to date on patches you'll be able to easily fend off probably ~90% of attack attempts you'll get (I know almost all the attempts I get are months old or automated nimda attacks).
One other thing to watch out for is how the services can interact with each other, like if you have an ftp server running along with Apache make sure there's no way I can get to Apache's CGI directory via FTP =)
Its a bad idea, but there are several reasons why I have chosen to go this route over multiple machines.
Are electric bill and heat two of them? =)
Thanks for the info. The firewall is just for personal home use, and there isn't any confidential stuff on it. I have another computer, so maybe I'll mess around with that and see if I can't set up a firewall only box. With that being said, how did you set up your IP-less box? I'd be really interested to try that, that would be a great firewall, it would be almost impossible to attack directly. Does IP Masq work with that kind of setup? Thanks.
<< httpds have had their problems. If someone can get into the webserver/email server/whatever its serving the machine is toast. What is your first line of defense on your perimeter (other than a router)? Your firewall. If the firewall is cracked you can say good-bye to the rest of your network (or atleast a good portion of it). In a home dsl webserver type of setup running these together wouldnt be a horrible thing, just not recommended.
Another note, when a machine gets compromised, its best to limit the damage done. If that machine is the only server doing everything on your network you will have a lot more work and more potential problems if it is cracked. If the machine is only performing one task you shouldnt have to clean up as much. I run email/web/dns all on one machine, but only one of those is accessible from the outside (home network). Its a bad idea, but there are several reasons why I have chosen to go this route over multiple machines. >>
Hmm, good point about limiting the damage. Well...I have another old computer, and I've always wanted to try setting up an Open BSD firewall... Also, it's my only line of defense since I'm on a college network.
<< Thanks for the info. The firewall is just for personal home use, and there isn't any confidential stuff on it. I have another computer, so maybe I'll mess around with that and see if I can't set up a firewall only box. With that being said, how did you set up your IP-less box? I'd be really interested to try that, that would be a great firewall, it would be almost impossible to attack directly. Does IP Masq work with that kind of setup? Thanks. >>
I currently use a p133 for my firewall, so some crappy box should be fine. Bridging mode is pretty neat, although Ive never used it (talked to one of the OpenBSD developers about it). OpenBSD's bridging is pretty nice, but Linux has the ability to have the machine basically shutdown while doing firewalling, although I cant find the article right off on it
EDIT: Here is the link on a halted Linux firewall
This is great stuff...I knew it..but still great for those who need to know that seperates are the way to go....I have a question though....
I have A lot of old machines, and am probably going to use smoothwall or something...but how do I put it in front of a router and still access it...?
I will have a linux webserver..or possibly win2kServer Server---(I've been told that Redunancy is one of my charms)--
-and an WINXP client(will have my PC @home too in the summer)..anyways, if I put the tree clients behind an SMC router, how do I acess the firewall....usually subnet addresses such as 192.168.x.x are reserved for internal networks, but I how do I access it if I have (AND need ) NAT on...(I would use Linux to take care of the Network Translation, but I just want it to be a webserver. So...how do I proceed...I might use smoothwall or something as the Firewall OS for the Gateway PC....thanks
I have A lot of old machines, and am probably going to use smoothwall or something...but how do I put it in front of a router and still access it...?
I will have a linux webserver..or possibly win2kServer Server---(I've been told that Redunancy is one of my charms)--
-and an WINXP client(will have my PC @home too in the summer)..anyways, if I put the tree clients behind an SMC router, how do I acess the firewall....usually subnet addresses such as 192.168.x.x are reserved for internal networks, but I how do I access it if I have (AND need ) NAT on...(I would use Linux to take care of the Network Translation, but I just want it to be a webserver. So...how do I proceed...I might use smoothwall or something as the Firewall OS for the Gateway PC....thanks
<< This is great stuff...I knew it..but still great for those who need to know that seperates are the way to go....I have a question though....
I have A lot of old machines, and am probably going to use smoothwall or something...but how do I put it in front of a router and still access it...?
I will have a linux webserver..or possibly win2kServer Server---(I've been told that Redunancy is one of my charms)--
-and an WINXP client(will have my PC @home too in the summer)..anyways, if I put the tree clients behind an SMC router, how do I acess the firewall....usually subnet addresses such as 192.168.x.x are reserved for internal networks, but I how do I access it if I have (AND need ) NAT on...(I would use Linux to take care of the Network Translation, but I just want it to be a webserver. So...how do I proceed...I might use smoothwall or something as the Firewall OS for the Gateway PC....thanks >>
Put the linux machine behind the router, assign it an internal ip, and forward port 80 to the webserver...
<< Thanks for the info. The firewall is just for personal home use, and there isn't any confidential stuff on it. I have another computer, so maybe I'll mess around with that and see if I can't set up a firewall only box. With that being said, how did you set up your IP-less box? I'd be really interested to try that, that would be a great firewall, it would be almost impossible to attack directly. Does IP Masq work with that kind of setup? Thanks. >>
The last time I tried this with Linux, the bridging code in the kernel would cause a panic and crash the machine...Currently we're using OpenBSD. If you do a search on google for "openbsd bridge" or "openbsd bridging firewall" you will find several really good tutorials that I followed. It's pretty simple to setup. You just pick 2 or more ethernet interfaces and tell them to bridge using something like brconfig bridge0 xl0 xl1 up and you have a bridge. After that you just have to setup your firewall rules...and make sure that your actual interfaces don't have any IPs assigned to them. Of course there is a kernel recompile and a little more setup than that but not much. The downside is that you can't remote administer your firewall but the upside is someone else can't remote administer your firewall.
I believe the Linux bridging code probably has had some improvements since then. Even OpenBSD 3.0 release bridging code doesn't work right with VLANs though that too has supposedly been fixed (we went back to 2.9 but will update soon and try again).
Gaidin
Edit: Sorry, don't want to sway you from trying out Linux at all. I'd say go for it in Linux if you're more familiar with that. OpenBSD is less user friendly than your typical linux install though it's solid as a rock and very useful. Also iptables has more support info out there than ipf/pf even though both aren't too hard to figure out for simple firewalling.
I think I'll probably stick with Linux because I've used it for a while now, and I've never used any BSD before. But I definatly will find another machine to use as a firewall. Thanks for all the help everyone.
<< Even OpenBSD 3.0 release bridging code doesn't work right with VLANs though that too has supposedly been fixed (we went back to 2.9 but will update soon and try again). >>
The developer that works on a lot of the bridging stuff is pretty good and uses it at his home (last I heard). So it shouldnt take too long for things to get fixed.
<< Put the linux machine behind the router, assign it an internal ip, and forward port 80 to the webserver... >>
but how do you remotely,but internally, access the firewall..as in to change settings? Do you have t oset it up locally...I just want to keep out DoS attacks and such, but what about rules etc?
<<
<< Put the linux machine behind the router, assign it an internal ip, and forward port 80 to the webserver... >>
but how do you remotely,but internally, access the firewall..as in to change settings? Do you have t oset it up locally...I just want to keep out DoS attacks and such, but what about rules etc? >>
If you are doing the bridging mentioned (I think in this thread or another one
) you need to be logged on locally. If you are doing a NAT firewall, you can ssh into it.TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
Facebook
Twitter