Firewall Configuration Question... Is this possible?

R. DuFresne dufresne at sysinfo.com
Tue Aug 2 06:44:43 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 1 Aug 2005, /dev/rob0 wrote:

> R. DuFresne wrote:
>>>> that I am also trying to run Apache on the box that is doing the NAT
>>>> translation rules.  Is it possible to run a web server on the same box 
>>>> that is performing the translations?
>>> 
>> doable, but not adised, a firewall should be single purpose, most servers 
>> should be single purpose where possible.  But then this is not often the 
>> case.  But a firewall certainly should be a single purpose system much 
>> like a router is, they do similair work anyways.
>
> I quite agree that this is the best practice. However in the real world it's 
> not something about which I am dogmatic. Most of my firewalls have at least 
> one service running in addition to sshd. (All are running sshd. Many are 
> running httpd and an MTA.)
>
> I don't feel bad. :) In any security decision you should consider the threat 
> model. My main concern is in keeping the open services patched, and it's the 
> same regardless of whether they're running on the firewall or in a DMZ.
>


This is true, but if the services run in the dmz, there is far less a 
threat to the soft cneter network if they get hit <the DMZ services>.  If 
run on the FW and you seen not the vuln in the lists, are too busy to 
patch if you saw it, or something else interfieres, you are more liely to 
toast more then a singe services server on the outside.


Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC7vo/st+vzJSwZikRArS1AJ0adtqWnLe9z6bKJH6qGAl31RpRJgCgx0vD
cRWdKwbSlq9ZPzoHmUVRk5Q=
=Ta+p
-----END PGP SIGNATURE-----



More information about the netfilter mailing list