Ok so quick run down, I've been down with linux since... sh*t, like 10 years now LOL. But I never had the need or the resources to run a file server, LAMP setup, or anything at home... :banana: Until now LOL. Since linux hasn't been too popular in Vegas in the places I've worked I've always been stuck running windows systems, and usually its pretty simple crap sonicwall and T1's with MIIS servers or 2003 ::gag:: But here lies my problem every admin job I've had I haven't been able to build the system from the ground up. So when reading today something confused the crap out of me...
One article said "Never install any other services on the machine you use as your firewall"
And another said "Never run a server open to the net without a firewall on it"
So honestly, what gives? I was going to run LAMP with the firewall on the same machine until I can buy a sonicwall or come up with another PC to use as one or something... yet I was planning on still running a firewall on the machine with the LAMP on it. So tell me am I getting mixed information here? I know regardless your system has to be secure and all my Windoze systems had firewalls installed plus the sonicwall so I dont see why I couldn't have just one machine running LAMP and Firewall, would it really be that insecure???... I mean did I really screw myself here? Have I been running vulnerable systems for ever and gained some bad habits here or what?
(Sorry I write so much when I post, I also write movie scripts on the side so im used to explaining every detail possible)
I run my firewall separate to my web server. As I see it, if I put the firewall on my server, if someone compromises the firewall, they can see my entire server's contents.
If I keep them seperate, and someone compromises my firewall they get access to my empty firewall. Then they gotta do it all again for my web server.
If someone gets access through an apache vulnerability to my web server port, they'll only have access to the machine on that port, unless they've compromised the firewall too.
In general it's a cheap and sensible option to install a separate firewall. Use an old PC and get a copy of Smoothwall free edition.
I think this
should actually say without a firewall in front of it.
Never run a server open to the net without a firewall on it
both of those are good rules but they aren't have to's. if its mission critical data then follow those rules. if its something else, play, or maybe not mission critical (cc's, and making money type services), then it is probably fine.
Also, a firewall in front can be as simple as a rinky dinky little linksys router.
Thanks for the input guys...
I guess Ill either do the DD-WRT mod to my "Rinky Dinky linksys router" LOL or just get an old pc...
Its just for fun and practice breaking and repairing the system so for now ill just keep it on the lan...
I'm using an old pc running IPCop as a firewall. Works just fine. It's also a DHCP, so my 4 other servers can get an IP.
Would 2 routers with firewall function + iptables on the web server be enough? I hope so because that's my current configuration (mainly because I don't like the web interface on the first router, I don't trust it's firewall either).
yes that would work, but that is a lot of layers. so it would be this
thats a lot of layers. I would get rid of one of those.
Its more like this:
LAMP + IPTables
It's on one machine.
It might be a bit slow, but as I said I don't trust the firewall on the first router, which is a modem-router so removing it would also remove my modem.
But if it works I'm happy.
I've done a port scan on router 1, and it was wide open while firewall was set to high, the second router had it's ports shut accept for the ports I forwarded. This is WAN to LAN, and LAN to WAN is fully open, but I don't know how to shut that traffic down. Question two: do I want to shut this traffic down because my parents on the same network use things like MSN Messenger, E-mail, Update services and other crap I not always know the ports of.
I guess that all depends on who pays the bills :-P
outgoing traffic should be fine, just keep antivirus installed where needed (windows machines) and check for trojans and rootkits on your nix machines.
My dad pays the electricity bill as well as the ISP bill. That means I'm safe for now, however I do want to put some PR on the site just to make a bit money so I can pay for the extra electricity used, so my dad won't kill the project.
I need the server for school things. I am going to give my class some lessons about GNU/Linux and I have a site for that. If my dad kills the site I don't have anything to use as teaching materials. All the documents should be in Dutch, so I write them my self. That way I don't have to find the needle in the haystack. I just make a new needle.