*BSD News Article 51496


Return to BSD News archive

Newsgroups: comp.unix.bsd.freebsd.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!newsroom.utas.edu.au!munnari.oz.au!spool.mu.edu!howland.reston.ans.net!tank.news.pipex.net!pipex!news.mathworks.com!uunet!in2.uu.net!spcuna!ritz!bet
From: bet@ritz.mordor.com (Bennett Todd)
Subject: Re: Looking for advice on FreeBSD WWW server
References: <43o0rb$8sq@pandora.enet.net>
Organization: Mordor International BBS - Jersey City, NJ
Date: Wed, 20 Sep 1995 13:02:15 GMT
Message-ID: <DF7G7r.AL@ritz.mordor.com>
Lines: 37

Well, I got some good news and some bad news. The good news is that I've set
up a www server (www.mordor.com) using Apache on FreeBSD and it cooks along
quite happily. I can recommend this combination. I'm afraid I don't have
experience with other daemons (aside from NCSA httpd) and so can't give a
comparison.

The bad news is that I __Strongly__ recommend Don't Do It!

Here's why: a Firewall is a well-defined job. It is intended to maintain the
security of the protected net in the face of determined and sophisticated
attacks from the unsecured net. Either FreeBSD or Linux could probably do
that; I'd personally go with FreeBSD because its networking has a longer
history behind it:-).

A Firewall machine should __NOT__ run anything that will tend to make it
easy to burgle: this means no user logins, no sendmail, and _No_ HTTP! HTTP
is cool, it's amazing, it's great --- and it's the most complex of the
popular protocols. There have already been many, many security holes found
in it --- and they all (naturally) allow an outsider to burgle the WWW
server machine.

Use 2 PCs. Really. Put WWW on a ``sacrificial'' machine outsize the
firewall. Run an HTTP proxy on the firewall to let users on the inside
access it. Let users on the inside that need to maintain it have logins on
it, and get at it through a telnet proxy. Back it up regularly; run tripwire
to detect when you get burgled; do your best to keep it running and
available in the face of intrusions. Do \Not/ run HTTP on your firewall;
then rather than periodically losing your HTTP server until you can restore
from backups and (try to) fix the latest hole, you'll be having vandals
storming your entire internal network. That would be ``Bad''.

-Bennett
bet@mordor.com
-- 
-Bennett
bet@mordor.com
http://www.mordor.com/bet/