Firewall Configuration Question... Is this possible?

/dev/rob0 rob0 at gmx.co.uk
Mon Aug 1 23:45:26 CEST 2005


R. DuFresne wrote:
>>> that I am also trying to run Apache on the box that is doing the NAT
>>> translation rules.  Is it possible to run a web server on the same 
>>> box that is performing the translations?
>>
> doable, but not adised, a firewall should be single purpose, most 
> servers should be single purpose where possible.  But then this is not 
> often the case.  But a firewall certainly should be a single purpose 
> system much like a router is, they do similair work anyways.

I quite agree that this is the best practice. However in the real world 
it's not something about which I am dogmatic. Most of my firewalls have 
at least one service running in addition to sshd. (All are running sshd. 
Many are running httpd and an MTA.)

I don't feel bad. :) In any security decision you should consider the 
threat model. My main concern is in keeping the open services patched, 
and it's the same regardless of whether they're running on the firewall 
or in a DMZ.
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header



More information about the netfilter mailing list