Shorewall for web server?
Timothy Murphy
tim at birdsnest.maths.tcd.ie
Wed Dec 28 00:04:45 UTC 2005
Tim wrote:
>>> You may not want to run a webserver on your firewall from a security
>>> standpoint, but that aside...
>
> Timothy Murphy:
>> Is it safer to run shorewall on another computer behind the firewall?
>
> Shorewall is what configures your firewall, it's done on the same
> computer.
Sorry, I mis-wrote yet again.
What I meant to say was: Is it safer to run a web-server (httpd)
on another computer, rather than on the machine running the firewall?
>> I'd be interested in any information - eg pointers to documentation -
>> on making a home web-server secure (or more secure, at least).
>
> The basic advice is to run something separate as a firewall between the
> WWW and you. If you wanted to be really safe, and run a public web
> server, then you'd run the web server on a separate box, too.
>
> It goes without saying that the web server must be isolated from your
> LAN, for that to be of any benefit. You route connections through your
> firewall to it, and allow it to respond back out again. But you don't
> allow it access to any other part of your network.
>
> That way, if someone exploits your firewall (if possible), all they do
> is muck up the firewall. Likewise, if someone exploits the web server,
> all they do is muck it up. They're not able to muck up your other
> terminals and servers, because they don't connect to them.
I still don't really see any great advantage
in running the web-server on a different machine to the firewall.
Can one not restrict the part of the computer
accessible through the web-server in a reasonably secure way?
Actually, everything available through the web-server is fully backed up,
so it would not be any great loss if someone hacked this.
On the other hand, I would be upset if someone hacked into
the main part of the computer running the firewall.
--
Timothy Murphy
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
More information about the users
mailing list