Ok, y'all know I've got me one of them thar webservers out there in the WWWild. I run a minimal firewall (aka iptables). I'm wondering though what the consensus is on running a full-blown firewall like say IPCop on a server that is a busy box. My webserver is also a mail server and naturally a webmail server. What are the benefits of say adding a second box and running a full-metal jacket firewall like IPCop, and can you run a webserver/mailserver on the same box as IPCop (that is without ripping out the guts of IPCop so it's no longer an IPCop version but some chopped up hacked up Frankenstein monster)?
If you are only running the services you need to be running and have locked down your system fairly well a firewall, either internal or external, is mostly pointless.
If you're running an E-mail server and WWW server you'll need the following ports open:
25 SMTP 80 WWW 110 POP3 143 IMAP
Possibly some others for SSL encrypted POP, IMAP, WWW and possibly SSHD if you're going to do remote administration.
Putting a firewall in front of this box, or using iptables, is mostly a waste of time because you'll need all of these ports open to most every Internet IP address anyway or they can't provide their services.
Firewalls aren't a magic bullet. Most every service you run on a Linux box can be IP restricted on it's own or if not you can use iptables to do this. That's all firewalls really do IP restrict who can access what ports.
Considering most, if not all, of your services need to accessible from the entire Internet I wouldn't worry about a firewall.
Why tell anyone here are the ports you will need to have open when all they have specified is services? Wouldn't it have been better to ask IF they wanted pop3/pop3s/imap/imaps before telling them to open xyz ports? I'm not trying to be a dick, but get the facts before telling someone to open xyz ports. Why should they open pop3 to the world if they are going to use imap, or vice-versa; heck why open them to the world at all if they are going to use webmail and imap and pop3 access are only required from the webserver? I've set up many mail servers where the only service available to the world is smtp, port 25, and http/https. Why open the door further than it needs to be?
On Thu, 7 Oct 2004 17:05:45 -0500 "aaron hirsch" aaronh@uptime.net wrote:
Why tell anyone here are the ports you will need to have open when all they have specified is services? Wouldn't it have been better to ask IF they wanted pop3/pop3s/imap/imaps before telling them to open xyz ports? I'm not trying to be a dick, but get the facts before telling someone to open xyz ports. Why should they open pop3 to the world if they are going to use imap, or vice-versa; heck why open them to the world at all if they are going to use webmail and imap and pop3 access are only required from the webserver? I've set up many mail servers where the only service available to the world is smtp, port 25, and http/https. Why open the door further than it needs to be?
I wasn't trying to give him advice on how to run his E-mail setup.
The listing of the ports was just an example to help illustrate why running a firewall in front of an E-mail server is typically pointless.
I apologize if that wasn't clear.
--------------------------------- Frank Wiles frank@wiles.org http://www.wiles.org ---------------------------------
-
aaron hirsch -
Frank Wiles