*BSD News Article 51701


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!gatech!howland.reston.ans.net!agate!reason.cdrom.com!usenet
From: "Jordan K. Hubbard" <jkh@FreeBSD.org>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Looking for advice on FreeBSD WWW server
Date: 25 Sep 1995 01:57:02 GMT
Organization: Walnut Creek CDROM
Lines: 30
Message-ID: <44529e$99r@reason.cdrom.com>
References: <43o0rb$8sq@pandora.enet.net> <DF7G7r.AL@ritz.mordor.com>
NNTP-Posting-Host: time.cdrom.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 1.1N (X11; I; FreeBSD 2.1-STABLE i386)
To: bet@ritz.mordor.com
X-URL: news:DF7G7r.AL@ritz.mordor.com

bet@ritz.mordor.com (Bennett Todd) wrote:
>A Firewall machine should __NOT__ run anything that will tend to make it
>easy to burgle: this means no user logins, no sendmail, and _No_ HTTP! HTTP
>is cool, it's amazing, it's great --- and it's the most complex of the
>popular protocols. There have already been many, many security holes found
>in it --- and they all (naturally) allow an outsider to burgle the WWW
>server machine.

Maybe I'm overestimating people here, but this advice seems about on-par
with "don't stick sensitive parts of your personal anatomy into live electrical
outlets!"

Of *course* you don't run httpd on your firewall!  I don't know of *anyone* and
I mean zero, zip, nada individuals running or even remotely contemplating
running any form of httpd on their firewall.  Heck, most people don't run
*rlogind* or *ftpd* on their firewalls!  Httpd would generally be the very last
in line for such consideration, right up there with an unsecured IRC server and
2 or 3 MOOs.. :-)

Creating a firewall is a very specific process, and you always assume that you
CAN'T run any given network service until it's absolutely, positively proven
that you can (and for which there is a justifiable need of almost galactic
magnitude).  This includes just about every *standard* UNIX network utility you
might otherwise take for granted.  A firewall is not a UNIX machine, it is a
firewall.  If someone has any trouble seeing the distinction then they
shouldn't even bother trying to create one - they should leave that process to
the security folks.
-- 
						Jordan