need for firewall on opensuse web server

Hi,

I have a home network which is protected by a dedicated firewall pc running pfSense. I have an opensuse 11.2 webserver on the home side of the firewall. Is it necessary to run the a firewall or setup iptables on the opensuse box?

At some point I intend to port forward through the firewall to the web server so it can be accessed via the internet. Access to the web server will be password protected as its only for myself and my business associates to connect to.

thanks in advance

Greg J

In my opinion it is best to only open the required ports in the firewall even if you are on a local network with a dedicated firewall in place.

pfSense is good but it is always a good idea to have firewall enabled on the web server too for additional protection.

I echo what Magnu5 and syampillai said. Running the firewall on the Opensuse server doesn’t harm anything, it has no measurable impact on performance, and it’s just extra protection.

Besides, always enabling the firewall on every PC, and then pinholing as needed to expose specific services, is just a good habit to get into. Make it second nature. That way, you won’t ever find yourself at home one evening wondering, “hey, we exposed that old server to the Internet today … did I enable the firewall???” :slight_smile:

Also besides, that Web server could be attacked from the internal network. (Don’t ever forget that.)

Bottom line: firewall, then pinhole, even on a netbook that will never, ever run a server anywhere. :slight_smile:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed on all points. To make one last point NetFilter (the firewall
built into the kernel manipulated by the iptables command) is enabled
regardless of whether or not you configure it to allow everything or just
TCP/80. The downsides to closing all ports except those you need and
expect to be open are not really existent for you. If you leave all ports
open, though, any other users on the system can, without you knowing, set
up their own services allowing remote access to the system. Leaving the
default firewall in place (and allowing just what you need) will prevent
rogue services from being remotely accessible.

Good luck.

On 02/27/2010 12:56 AM, smpoole7 wrote:
>
> I echo what Magnu5 and syampillai said. Running the firewall on the
> Opensuse server doesn’t harm anything, it has no measurable impact on
> performance, and it’s just extra protection.
>
> Besides, always enabling the firewall on every PC, and then pinholing
> as needed to expose specific services, is just a good habit to get into.
> Make it second nature. That way, you won’t ever find yourself at home
> one evening wondering, “hey, we exposed that old server to the Internet
> today … did I enable the firewall???” :slight_smile:
>
> Also besides, that Web server could be attacked from the internal
> network. (Don’t ever forget that.)
>
> Bottom line: firewall, then pinhole, even on a netbook that will never,
> ever run a server anywhere. :slight_smile:
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLiOahAAoJEF+XTK08PnB5nQgQALPAxSTRYNd4p5h2+1AvSPi6
E78yJLrlJaftcfGVzmPDgE/4+WxDwwUgPFi3LHKQIEawKG1XiO5D8ZQIrW7QW7DG
LhAHFXaTsXa22yQc4aEtT04hZN+RxxY1uAonAkR4Dxo39GAD2l9A2WGtwXR2xIfC
Y80B27S3IIcHaEMPrc6JPUCMHspHE+8/0ToxH523oVOxmnAIa5FPuNeH5eta0QBQ
15wiZs29eEWYQjvmXuxsnvoHi+rwZQpqzQb0Mwd5guW+cu9/1UDwTdS0vAYGOmp3
WcxTFFzVirvYepe9483BlKKdX71ycC6KZKTqRePkY13gbliY3J81BP5JCEfSplVd
q1MqP+0bIxs8YrNaICNWHzjV3ZlFerYL09F47RI3GFJoXIdPHOzbT1jbagxDSBmb
ifryRm60kNnpseVZ93muOnka8/zPqxsSC+N4ZIqv0OlYPlwnMA9TQuXrIKwZ5lkE
24KbddKsY5Ky1xzI9mbEbSMdvxg3Z6JoQPUbk4b9U/Urv2p9z/Dgx8UHEF1x7f+I
xqxIjCvTTTGOIoPxO/QlCoEKDwgHbJQtpi6wwqgFFMEwFjXfNXixvIvTj3G7c93Z
oA64a4zZI2Vp8/6P8xrdvJwma51a3MxvoRGCw1f+LBvHSsqEoAK2nqTGAjqj4GwD
w2YlNByNPHAaJ2ofD17T
=BhHG
-----END PGP SIGNATURE-----

Hi all,

Thank you all for your quality responses. I have configured the firewall and seem to have that working now.

Greg J