Forum OpenACS Q&A: Firewalls, etc

Collapse
Posted by Kurt Schwarz on
First off, I'm still trying to figure out firewalls. The INPUT/OUTPUT/FORWARDING, etc are starting to sink in.

With that in mind (correct me if I'm wrong on these):

  1. I need to have port 80 INPUT open for connections to my web server (how I have it set in nsd.tcl)
  2. For email notifications to work, I need to have port 25 INPUT/OUTPUT open
  3. OK, so this is a question: Which port(s) need to be open/accessible for the database (if any). I'm running PostgreSQL (port 5432)
I'm currently running Mail, AOLServer, and the DB on one box, but will be breaking it up in the near future.

Because I'm lazy (or all about the tools), I'd like to use Webmin to help set this up.

Comments? Suggestions? Am I totally off base?

Collapse
2: Response to Firewalls, etc (response to 1)
Posted by Jon Griffin on
Comment 1: Don't use webmin. It has been hacked many times.

Comment 2: Learn to use your os and don't depend on graphical programs. If you can't or don't want to invest the time to understand security you are asking for problems.

Sorry to be so hard, but the cracking world is much harder.

Collapse
4: Response to Firewalls, etc (response to 1)
Posted by Kurt Schwarz on
I'll agree to you about learning the OS. That's the reason I use the tools like Webmin...at first. I try to get a basic understanding, then usually I can figure it out at the OS level from there.

...or is that kinda weird?

Collapse
5: Response to Firewalls, etc (response to 1)
Posted by Cathy Sarisky on
As long as the DB lives on the same machine, don't open a port for it.  You've answered your own question about which port to open if you do move the DB (UDP 5432).  When you open that port on the separate DB server, you probably want to set your firewalling rules to restrict it to talking to only the IP address of the webserver.  That's not perfect, but it's a start.  And of course you're going to want to set a password for database, to provide it with a little bit more protection also.

If you're just learning the system and security, do you really need to put the DB on a separate machine?  You can serve a reasonable number of hits with the db on the same machine, unless that machine is very wimpy.  If I were in your shoes, I'd keep the DB on the same machine unless it's clear from your load that it needs to move.

Another option would be to fit out the web server with an extra NIC and connect the db server to it alone.  Whether or not that's feasable for you probably depends on how accomodating your colocation facility is, but it would allow you to protect traffic between the webserver and dbserver a bit better.

Collapse
6: Response to Firewalls, etc (response to 1)
Posted by Marshall Trammell,III on
Linux Firewalls second edition covers in detail iptables, the ipchains replacement

see Link to Amazon

Collapse
3: Re: Firewalls, etc (response to 1)
Posted by Matthew Geddert on
I agree with Jon, learn how to use OS based tools, or get a simple box like a sonicwall firewall and don't worry about learning that stuff. One way to look at this is by using programs that don't get hacked, qmail and djb-dns and two examples of mail servers and dns servers that haven't yet been hack (you should install a dns cache to speed things up on almost any server). Also, i don't know if you are going to use SSH to manage your box, but if you do, make sure you use hosts.allow file for sshd. You don't need 5432 open to anything but localhost for openacs.