On Thu, 7 Oct 2004 16:38:58 -0500 "Brian Densmore" [email protected] wrote:

Ok, y'all know I've got me one of them thar webservers out there in the WWWild. I run a minimal firewall (aka iptables). I'm wondering though what the consensus is on running a full-blown firewall like say IPCop on a server that is a busy box. My webserver is also a mail server and naturally a webmail server. What are the benefits of say adding a second box and running a full-metal jacket firewall like IPCop, and can you run a webserver/mailserver on the same box as IPCop (that is without ripping out the guts of IPCop so it's no longer an IPCop version but some chopped up hacked up Frankenstein monster)?

If you are only running the services you need to be running and have locked down your system fairly well a firewall, either internal or external, is mostly pointless.

If you're running an E-mail server and WWW server you'll need the following ports open:

25 SMTP 80 WWW 110 POP3 143 IMAP

Possibly some others for SSL encrypted POP, IMAP, WWW and possibly SSHD if you're going to do remote administration.

Putting a firewall in front of this box, or using iptables, is mostly a waste of time because you'll need all of these ports open to most every Internet IP address anyway or they can't provide their services.

Firewalls aren't a magic bullet. Most every service you run on a Linux box can be IP restricted on it's own or if not you can use iptables to do this. That's all firewalls really do IP restrict who can access what ports.

Considering most, if not all, of your services need to accessible from the entire Internet I wouldn't worry about a firewall.

--------------------------------- Frank Wiles [email protected] http://www.wiles.org ---------------------------------