Linux webserver/firewall...??

DrMekon · 27 Aug 2007 at 11:28

Got a home network, and cable modem...

Wanted to run a home webserver, and was wondering about security...

Ive read the most secure way would be to have a firewall connected to the modem (linux... e.g., smoothwall, astaro.. etc), with an additional 2 nics.. one for the internal lan, and one for a dmz to which I connect my webserver...

Seems like a lot of devices....

Could I simply not use a linux build webserver & firewall with 2 nics, one for external internal, and one for internal lan... or would I be exposing internal lan to potential security risks if webserver hacked...???

Any suggestions?

QuantumXP · 27 Aug 2007 at 12:24

You could run a firewall on the webserver but its not advisable to keep private data on the same machine.

Personally I like an firewall on each machine on my lan but that might be overkill.

M0KUJ1N · 27 Aug 2007 at 12:34

Technically you shouldn't be running any extraneous services on a firewall box- each service represents a unique chink in the armour of your external defences

For a home setup I would just go with using a NAT router as a "firewall" tbh unless you have any specific reason not to. Then just forward ports 80 and 443 to the webserver box.
Finally set up iptables on the webserver to tighten it's defences.

Anything more than this is paranoia for a home setup imo.

TheDogFather · 27 Aug 2007 at 14:49

I know people always say you shouldn't run things on the same box as the firewall, but if the services are on the inside of the firewall whats the problem, maybe not ideal for a corporation, but a home user probably exposes themselves to much greater risks.

Many many people are running exactly like this so maybe the threat is a little over rated or just one of those things people like to repeat without giving it too much thought or understanding ?

TDF.

DrMekon · 27 Aug 2007 at 17:34

Thats what I thought to be honest....

For home use, why would you want a home webserver in a dmz, totally exposted to the itnernet, when you can hoave it behind your router and firewall...

I can simply just setup the webservers firewall so that it rejects/or drops any attempts to connect to internal lan devices, but allow the other way around