Services on the firewall

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Apr 14 17:47:24 BST 2004


--VUDLurXRWRKrGuMn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 14, 2004 at 04:11:08PM +0100, John Murphy wrote:
> I know it's wrong but what are the real dangers in running say
> sendmail, ftpd, bind, boa (http) and squid perhaps, on the same
> device as ipf etc?
>=20
> This is just for a home LAN gateway on a Soekris 4801 hopefully.
>=20
> There will be some server side filtering at the ISP.

It's only "wrong" because running all of those other applications
opens up a range of possible ways that an attacker could try and
penetrate your machine.  If you were trying to build a firewall
protecting the assets of a company worth millions, then it would be
daft to run a whole load of other services on the packet-filtering
box, for the sake of saving a few thousand for another server or two.

However, as this is just your home LAN, you presumably have a lot less
to lose, and you need to make your security measures cost-effectively.
It's a trade off, and you'll have to decide if "affordable" is "good
enough".

You'll find having all of the servers on your firewall box will
complicate your firewall rulesets quite a bit -- especially if you're
running it as a NAT gateway as well.  Even so, you should be able to
write an effective ruleset without too much trouble.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--VUDLurXRWRKrGuMn
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAfWscdtESqEQa7a0RAqbQAJ9VGxnwgGikLG6iklhuf70QPFldsQCdHiGD
gr5BJoLrtgCklE1fr4GjGfI=
=2YNk
-----END PGP SIGNATURE-----

--VUDLurXRWRKrGuMn--




More information about the Ukfreebsd mailing list