firewalls and webservers request for comments

aaron hirsch aaronh at uptime.net
Thu Oct 7 17:05:45 CDT 2004 

> Ok, y'all know I've got me one of them thar webservers
> out there in the WWWild. I run a minimal firewall (aka
> iptables). I'm wondering though what the consensus is
> on running a full-blown firewall like say IPCop on a
> server that is a busy box. My webserver is also a mail
> server and naturally a webmail server. What are the benefits
> of say adding a second box and running a full-metal jacket
> firewall like IPCop, and can you run a webserver/mailserver
> on the same box as IPCop (that is without ripping out the 
> guts of IPCop so it's no longer  an IPCop version but some 
> chopped up hacked up Frankenstein monster)?

  If you are only running the services you need to be running and
  have locked down your system fairly well a firewall, either
  internal or external, is mostly pointless. 

  If you're running an E-mail server and WWW server you'll need
  the following ports open: 

  25 SMTP 
  80 WWW
  110 POP3
  143 IMAP 

  Possibly some others for SSL encrypted POP, IMAP, WWW and possibly
  SSHD if you're going to do remote administration. 

  Putting a firewall in front of this box, or using iptables, is 
  mostly a waste of time because you'll need all of these ports open
  to most every Internet IP address anyway or they can't provide their
  services. 

  Firewalls aren't a magic bullet. Most every service you run on a
  Linux box can be IP restricted on it's own or if not you can use
  iptables to do this.  That's all firewalls really do IP restrict
  who can access what ports.

  Considering most, if not all, of your services need to accessible
  from the entire Internet I wouldn't worry about a firewall. 

Why tell anyone here are the ports you will need to have open when all
they have specified is services?  Wouldn't it have been better to ask IF
they wanted pop3/pop3s/imap/imaps before telling them to open xyz ports?
I'm not trying to be a dick, but get the facts before telling someone to
open xyz ports.  Why should they open pop3 to the world if they are
going to use imap, or vice-versa; heck why open them to the world at all
if they are going to use webmail and imap and pop3 access are only
required from the webserver?  I've set up many mail servers where the
only service available to the world is smtp, port 25, and http/https.
Why open the door further than it needs to be?

More information about the Kclug mailing list