Port Forwarding vs. Running Servers on Firewall

[Keith Mastin]

<snip>
> Let us take a concrete example. Say we have Apache running on a host
> (192.168.0.10) on the LAN that must be accessible from the whole world.
> Our  firewall and gateway, 192.168.0.1 on the inside interface, and
> 123.123.123.123 (any resemblance to a real host is coincidental) on the
> outside interface, has to forward all requests to 123.123.123.123:80 to
> 192.168.0.10:80 and send the packets from 192.168.0.10 back out through
> 123.123.123.123 via 192.168.0.1. Packets are going to be inspected and
> all  that good stuff on the firewall. What difference does it make if
> the Apache  daemon is running on the firewall or on 192.168.0.10?

If one of the services gets punched, then it might create a hole to access
personal information on your LAN. I see a lot of servers on other lists
getting hacked after being careless and trying shortcuts. Don't be too
hasty to add your name to that list. :)

>>The thing about a firewall is that the hosts behind it are (or are
>> supposed to be) invisible, since their IPs are private and cannot be
>> seen from the WAN, ie. 192.168.0.x.
>
> If port 80 on the firewall is forwarded to a host with a private IP on
> the  LAN, it can be seen from the WAN. That is whole point of port
> forwarding,  is it not?

You can also run EXT_IF tcp port 80 on the firewall to tcp port 8080 (for
example) on the server. Or direct port 80 to one machine and 443 to
another from the firewall/router. Stateful packet inspection carries a
memory tax, and you should want it to run free and clear. Add in the
resource load of any IDE that you throw in later after paranoia sets in,
and it begins to make more sense cost-wise.

>>You want a firewall that does port forwarding, network address
>>translation, and stateful traffic inspection (IIRC).
>
> Right, but that does not address the question of why it is good practice
> to  run only firewall and routing services on the firewall instead of
> running  httpd, etc. Running a bunch of services on the firewall does
> not preclude  one from having all that good stuff you listed.

Well, for starters, you can run all those services right on the Interent
on an other-wise firewalled box, but not in a LAN setting and still be
secure.

For security, you might want to isolate publically accessible services
from privately accessible services (the world soesn't need to browse your
network). Every service running on the machine presents a security risk.

If the first line of defence is the firewalled machine running all
services, where you might be running a database with customer info, for
example, this would *_not_* be considered a best practices situation.

If you have the services running on the LAN, or better yet in a DMZ, then
you have the protection of the firewall and the protection of the server.
Both machines should be "hardened" and best to have the server isolated
from the LAN. A couple configuration changes and a few more lines to the
firewall script does it.

OTOH, if you just want to muck around with a home-based Internet server
and you're not too concerned about it getting hacked at this point, then
have at it, and enjoy. :)



--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml