Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!gatech!howland.reston.ans.net!agate!reason.cdrom.com!usenet From: "Jordan K. Hubbard" <jkh@FreeBSD.org> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Looking for advice on FreeBSD WWW server Date: 25 Sep 1995 01:57:02 GMT Organization: Walnut Creek CDROM Lines: 30 Message-ID: <44529e$99r@reason.cdrom.com> References: <43o0rb$8sq@pandora.enet.net> <DF7G7r.AL@ritz.mordor.com> NNTP-Posting-Host: time.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 1.1N (X11; I; FreeBSD 2.1-STABLE i386) To: bet@ritz.mordor.com X-URL: news:DF7G7r.AL@ritz.mordor.com bet@ritz.mordor.com (Bennett Todd) wrote: >A Firewall machine should __NOT__ run anything that will tend to make it >easy to burgle: this means no user logins, no sendmail, and _No_ HTTP! HTTP >is cool, it's amazing, it's great --- and it's the most complex of the >popular protocols. There have already been many, many security holes found >in it --- and they all (naturally) allow an outsider to burgle the WWW >server machine. Maybe I'm overestimating people here, but this advice seems about on-par with "don't stick sensitive parts of your personal anatomy into live electrical outlets!" Of *course* you don't run httpd on your firewall! I don't know of *anyone* and I mean zero, zip, nada individuals running or even remotely contemplating running any form of httpd on their firewall. Heck, most people don't run *rlogind* or *ftpd* on their firewalls! Httpd would generally be the very last in line for such consideration, right up there with an unsecured IRC server and 2 or 3 MOOs.. :-) Creating a firewall is a very specific process, and you always assume that you CAN'T run any given network service until it's absolutely, positively proven that you can (and for which there is a justifiable need of almost galactic magnitude). This includes just about every *standard* UNIX network utility you might otherwise take for granted. A firewall is not a UNIX machine, it is a firewall. If someone has any trouble seeing the distinction then they shouldn't even bother trying to create one - they should leave that process to the security folks. -- Jordan