Shorewall for web server?

[John Summerfied]

David Cary Hart wrote:

>
>>>Is it safer to run shorewall on another computer behind the firewall?
>>
>>Shorewall is what configures your firewall, it's done on the same
>>computer.
>>
>>
>>>I'd be interested in any information - eg pointers to documentation -
>>>on making a home web-server secure (or more secure, at least).
>>
>>The basic advice is to run something separate as a firewall between the
>>WWW and you.  If you wanted to be really safe, and run a public web
>>server, then you'd run the web server on a separate box, too.  
>>
> 
> I'm not entirely sure how much a firewall has to do with this. It's a matter of
> how the firewall is used. No need for Shorewall IMO.

Sure you don't need shorewall. Sure you can write all your programs in 
Assembler for your CPU.

Shorewall, like your compiler of choice, provides a more concise means 
of expressing your intent.

I use shorewall myself, and I'm way more confident of the outcome than 
I'd be using iptables directly.

> The issue becomes who to block, how and for how long. 
> 
> One option is to do this via snort (there are several methods of triggering
> firewall rules).

On my systems I have mail (coming and going) and www open to all. And 
ssh, but I limit ssh to a small range of IP addresses in 
/etc/hosts.allow and/or /etc/hosts.deny.

Simple cases don't require a firewall at all (I have more needs than 
I've disclosed here). If a port's not open on your external interface, 
nobody's going to connect to it. If you're supplying a public service 
(http, receiving mail etc) then ports supporting those services have to 
be open on the external interface and unblocked.

In my case, ssh has to be open, but not _that_ open.

-- 

Cheers
John

-- spambait
1aaaaaaa at computerdatasafe.com.au  Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list