I have a home network which is protected by a dedicated firewall pc running pfSense. I have an opensuse 11.2 webserver on the home side of the firewall. Is it necessary to run the a firewall or setup iptables on the opensuse box?
At some point I intend to port forward through the firewall to the web server so it can be accessed via the internet. Access to the web server will be password protected as its only for myself and my business associates to connect to.
I echo what Magnu5 and syampillai said. Running the firewall on the Opensuse server doesn’t harm anything, it has no measurable impact on performance, and it’s just extra protection.
Besides, always enabling the firewall on every PC, and then pinholing as needed to expose specific services, is just a good habit to get into. Make it second nature. That way, you won’t ever find yourself at home one evening wondering, “hey, we exposed that old server to the Internet today … did I enable the firewall???”
Also besides, that Web server could be attacked from the internal network. (Don’t ever forget that.)
Bottom line: firewall, then pinhole, even on a netbook that will never, ever run a server anywhere.
Agreed on all points. To make one last point NetFilter (the firewall
built into the kernel manipulated by the iptables command) is enabled
regardless of whether or not you configure it to allow everything or just
TCP/80. The downsides to closing all ports except those you need and
expect to be open are not really existent for you. If you leave all ports
open, though, any other users on the system can, without you knowing, set
up their own services allowing remote access to the system. Leaving the
default firewall in place (and allowing just what you need) will prevent
rogue services from being remotely accessible.
Good luck.
On 02/27/2010 12:56 AM, smpoole7 wrote:
>
> I echo what Magnu5 and syampillai said. Running the firewall on the
> Opensuse server doesn’t harm anything, it has no measurable impact on
> performance, and it’s just extra protection.
>
> Besides, always enabling the firewall on every PC, and then pinholing
> as needed to expose specific services, is just a good habit to get into.
> Make it second nature. That way, you won’t ever find yourself at home
> one evening wondering, “hey, we exposed that old server to the Internet
> today … did I enable the firewall???”
>
> Also besides, that Web server could be attacked from the internal
> network. (Don’t ever forget that.)
>
> Bottom line: firewall, then pinhole, even on a netbook that will never,
> ever run a server anywhere.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/