Results 1 to 3 of 3
Thread: to firewall or not to firewall?
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Jul 2011
to firewall or not to firewall?
We had a small conflict today at work whether or not there is any major advantage to setup a firewall to a relatively small web server box or to leave it without any.
I was in favor of not to have any firewall, because actually I don't see any major point to simply put a default drop policy and just open port 80.
The only advantage that I can think of is that you can check things like: the sanity of tcp/ip state (ie. not to accept ACKs if there is not even an established handshake, etc), or port scanning or ip spoofing or other similar "silly" stuff.
What do you think?
my philosophical answer would be
to die or not to die
in a web server (www accessible) you start to have hackers usually before you even finished your basic configuration of a server
of course some call it background noise - and if your entire server completely secured and ALL your software installed has ZERO security issues at all (known AND unknown) ...
you may go without FW
however who in the world can say his server is secured if even gov, mil and banks can't secure theirs with all the money they got to hire and use the top professionals in the world.
a firewall may have many opportunities to let you sleep better
there still remain enough reasons for nightmares on servers to occur even if you have mod_security and snort properly installed and configured
a firewall - if nothing else at all - helps you to reduce your error_log by simply blocking all the known IP networks used by hackers and by reducing potential hacker traffic to a iptables blank page you release server load for the thousands or ten thousands and more attempts each day
hence my practical answer is YES to firewall
fail2ban and other security SW depend on running firewall on server
- Join Date
- Jul 2011
But in order to avoid any misunderstandings, perhaps I didn't make my self clear in the first place: The whole argument at my work was about using only iptables (just to set drop as default policy and open port 80). Absolutely nothing more.
I hope we all agree that this is simply inadequate and almost completely unnecessary.