do i need hrdwre AND sftwre firewall?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: do i need hrdwre AND sftwre firewall?

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    214

    do i need hrdwre AND sftwre firewall?

    Hi,
    I have a web/mail server (using linux) for 3 very small websites that is behind a 4-port router and has a built in firewall (It's a home router, so the firewall is not very configurable -- plus it doesn't filter outgoing traffic, only incoming.) The firewall only lets port 80 and 25 be visible to the internet. Everything else (ftp,ssh) is only accessible to the four comp network.

    Anyways, is it worth it to configure another firewall on the linux server using ipchains (for extra security)?

    -Mike
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  2. #2
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209
    First of all, most routers with built in firewalls actually only use NAT (Network Address Translation) which isn't really considered a firewall. I don't mean to correct you, I just thought you might be interested in knowing that.

    As for a firewall, if you are serving web sites, I highly recommend setting up a firewall. If you don't want to spend money and buy a good hardware firewally, Ipchains are pretty easy to set up (there are plenty of tutorials on the subject both here and elsewhere on the Internet) and will protect you nearly as good, if not better, than a commercial hardware firewall.

    AJ

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Ok, I threw up a quick and dirty firewall. Here's the config for it. Please tell me if I missed something important, or if I'm leaving a big hole -- whatever:

    (Input)
    target prot opt source dest ports
    ACCEPT tcp ------ 0.0.0.0/0 192.168.2.196 * -> 80
    ACCEPT tcp ------ 0.0.0.0/0 192.168.2.196 * -> 25
    ACCEPT tcp ------ 192.168.2.0/24 192.168.2.196 * -> 22
    ACCEPT tcp ------ 192.168.2.0/24 192.168.2.196 * -> 110
    ACCEPT tcp ------ 192.168.2.0/24 192.168.2.196 * -> 21
    ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
    DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
    DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *

    Foward (polict accept)

    Output:
    ACCEPT tcp ------ 192.168.2.196 192.168.2.0/24 20 -> *
    ACCEPT tcp ------ 192.168.2.196 0.0.0.0/0 * -> 25
    ACCEPT udp ------ 192.168.2.196 0.0.0.0/0 * -> 53
    DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
    DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *


    -Mike
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  4. #4
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    I think it is generally a good security practice to implement multiple layers. If someone gets past your first line of defense you will still have one or more other ways to detect or block the threat.

    A hacker may develop a knack for bypassing certain types of security or security from certain vendors. Additionally, an attack vector may be caught by one type of security application and missed by another. By applying a hardware and a software firewall you hopefully will catch with one what the other one misses.

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    yanksfan,

    How old is your linux kernel? I'd suggest IPTABLES over IPCHAINS because, IMHO, it's designed better and has more flexibility to meet the needs of a website without compromising security (there are a few security flaws in IPCHAINS in the general design of it).

    IPCHAINS can use kernels 2.1.x and higher.

    IPTABLES can use kernels 2.4.x and higher.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    Originally posted here by tonybradley

    For more information on applying layered security, see:

    In Depth Security [/B]
    SPAM!
    i'm not sure i like this- that's the 20th link to about.com i've seen on the boards in the past two days... i undertsand that you want to advertise your employer (about.com) but around here 0- we call this Spam? s0rry if i seem harsh
    yeah, I\'m gonna need that by friday...

  7. #7
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    My apologies. It wasn't intended as spam per se. I am going back through and editing my posts to correct this misdeed and simply post my opinions directly in my post rather than referring to my works elsewhere.

    Hopefully I can redeem myself and bring my Antipoints out of the gutter.

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    SPAM in almost all cases is email where you are trying to sell something without somebody asking you to come and sell them on that particular item. If tonyb is very familiar with the content of a particular website because he works there then so what if he posts links from that site. He is not trying to sell you anything. The link he posted was very valid to the original question that was asked, and negging him for posting valid information is totally against what this site is about. Sharing information about the various aspects of network security. If he were just putting posts saying, "hey, come look at my site http://xyz.xyz.xyz." Then you could neg him for spam.

    So if I post a link to an article on MS's site detailing the intricacies of a particular vulnerability am I spamming for MS?

  9. #9
    Member
    Join Date
    Feb 2003
    Posts
    94
    Just saw this:

    First of all, most routers with built in firewalls actually only use NAT (Network Address Translation) which isn't really considered a firewall. I don't mean to correct you, I just thought you might be interested in knowing that.
    So just to clarify, I have a couple Linksys routers that our company gives us to protect our home highspeed connections. I will cross-check with Linksys, but we were told that those routers would offer a layer of protection. We also bought the Symantec Internet Security and added that as well. This keeps being a moving target for us.

    Thanks for the info!
    \"Quis custodiet ipsos custodes?\"
    -Juvenal

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    686
    I totally agree mohaughn. I mean even though we are on Ao, we still refer a lot of people to tutorials and stuff that is on the AO server right... wouldn't that be the same idea? IF someone knows a website well, then they should be able to refer people to it without people saying that person is a "SPAMMER"! Unless someone is getting paid for every hit that is going to about.com? Then that would be totally bad news!

    <-- My two cents on the matter...
    [shadow]There is no right and wrong, only fun and boring...
    Formatting my server because someone hacked into it sounds pretty boring to me...
    That\'s why it\'s all about AntiOnline.com!
    [/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •