Services on the firewall
m.seaman at infracaninophile.co.uk
Wed Apr 14 17:47:24 BST 2004
Content-Type: text/plain; charset=us-ascii
On Wed, Apr 14, 2004 at 04:11:08PM +0100, John Murphy wrote:
> I know it's wrong but what are the real dangers in running say
> sendmail, ftpd, bind, boa (http) and squid perhaps, on the same
> device as ipf etc?
> This is just for a home LAN gateway on a Soekris 4801 hopefully.
> There will be some server side filtering at the ISP.
It's only "wrong" because running all of those other applications
opens up a range of possible ways that an attacker could try and
penetrate your machine. If you were trying to build a firewall
protecting the assets of a company worth millions, then it would be
daft to run a whole load of other services on the packet-filtering
box, for the sake of saving a few thousand for another server or two.
However, as this is just your home LAN, you presumably have a lot less
to lose, and you need to make your security measures cost-effectively.
It's a trade off, and you'll have to decide if "affordable" is "good
You'll find having all of the servers on your firewall box will
complicate your firewall rulesets quite a bit -- especially if you're
running it as a NAT gateway as well. Even so, you should be able to
write an effective ruleset without too much trouble.
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the Ukfreebsd