Find the answer to your Linux question:
Results 1 to 3 of 3
Hello, We had a small conflict today at work whether or not there is any major advantage to setup a firewall to a relatively small web server box or to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2011
    Posts
    5

    to firewall or not to firewall?


    Hello,

    We had a small conflict today at work whether or not there is any major advantage to setup a firewall to a relatively small web server box or to leave it without any.
    I was in favor of not to have any firewall, because actually I don't see any major point to simply put a default drop policy and just open port 80.
    The only advantage that I can think of is that you can check things like: the sanity of tcp/ip state (ie. not to accept ACKs if there is not even an established handshake, etc), or port scanning or ip spoofing or other similar "silly" stuff.

    What do you think?

    Thanks
    ilias

  2. #2
    Linux Newbie hans51's Avatar
    Join Date
    May 2011
    Posts
    136
    my philosophical answer would be
    to die or not to die

    in a web server (www accessible) you start to have hackers usually before you even finished your basic configuration of a server
    of course some call it background noise - and if your entire server completely secured and ALL your software installed has ZERO security issues at all (known AND unknown) ...
    you may go without FW

    however who in the world can say his server is secured if even gov, mil and banks can't secure theirs with all the money they got to hire and use the top professionals in the world.

    a firewall may have many opportunities to let you sleep better
    there still remain enough reasons for nightmares on servers to occur even if you have mod_security and snort properly installed and configured

    a firewall - if nothing else at all - helps you to reduce your error_log by simply blocking all the known IP networks used by hackers and by reducing potential hacker traffic to a iptables blank page you release server load for the thousands or ten thousands and more attempts each day

    hence my practical answer is YES to firewall
    fail2ban and other security SW depend on running firewall on server

  3. #3
    Just Joined!
    Join Date
    Jul 2011
    Posts
    5
    Quote Originally Posted by hans51 View Post
    my philosophical answer would be
    a firewall - if nothing else at all - helps you to reduce your error_log by simply blocking all the known IP networks used by hackers and by reducing potential hacker traffic to a iptables blank page you release server load for the thousands or ten thousands and more attempts each day.

    hence my practical answer is YES to firewall
    fail2ban and other security SW depend on running firewall on server
    I completely agree with you. Content firewall is the only reasonable security measure in our case (I had used snort+guardian in the past but it was a pain in the ass to keep it updated). Fail2ban looks nice too, I will try it.

    But in order to avoid any misunderstandings, perhaps I didn't make my self clear in the first place: The whole argument at my work was about using only iptables (just to set drop as default policy and open port 80). Absolutely nothing more.
    I hope we all agree that this is simply inadequate and almost completely unnecessary.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •