iptables rules for small server

I have a RH 9.0 server that is running apache and sendmail to the
outside world. it is behind a smoothwall firewall that only allows ports
80, 8080, 25, and 110 to get through. Should I run some iptables rules
on the server it self just to be sure ??

John

John Rusinko wrote:
> I have a RH 9.0 server that is running apache and sendmail to the
> outside world. it is behind a smoothwall firewall that only allows ports
> 80, 8080, 25, and 110 to get through. Should I run some iptables rules
> on the server it self just to be sure ??

As Brad has already stated, it is always a good idea to have a fire-
wall running not only on the "dedicated" firewall/router machine, but
also on the server itself. - Although Your setup doesn't really need
such additional instance, it won't harm, either.

You're running apache, so You need to allow both incoming and outgoing
traffic from/to port 80. Fine.

As for sendmail, how do You use it...? - Are You running it to receive
messages only, or is it Your MTA? Depending on that You will have to
decide about Your firewalling rules. (N. B. I assume that Your sendmail
is configured correctly, and hence, securely!)

If You do not provide any service at 8080 and 110 on that server, You
simply needn't block any traffic to/from these ports, neither on that
smoothwall thingy of Yours, nor on the RH9.0 box itself.

The better idea is to block everything except for the explicit traffic
You want. Here, it doesn't matter whether smoothwall or the server it-
self does the "blocking" in this context. - Since both would use exactly
the same algorithm to achieve this, don't have an additional firewall on
Your server but let the firewall do its job.

For now. - When once You want to modify services on Your server, You'll
be better off making the router a "dumb" router (the smoothwall thing),
and make each server protecting itself against illegal access. (Again,
in a properly configured system, You needn't even do that, because only
running services will be served, everything else will die anyways. But
nowadays, sometimes You simply can't tell.)

Bottom line: You're safe enough with Your smoothwall for now, no need
to double-inspect any incoming traffic. IF You have the ability to do
such doubling, simply do it as long as there is no loss of performance
involved. - And, reconsider what You are using sendmail for. If it is
only to receive SMTP, don't allow sendmail to make connections to the
outside world. Otherwise, You may make Yourself a spam-relay. - You
can solve this by configuring sendmail correctly rather than disallowing
it to establish connections, but many of the posts not only in this NG
show that most admins come to their limits when it comes to doing just
this, configuring sendmail.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack wrote:
> John Rusinko wrote:
>
>> I have a RH 9.0 server that is running apache and sendmail to the
>> outside world. it is behind a smoothwall firewall that only allows
>> ports 80, 8080, 25, and 110 to get through. Should I run some iptables
>> rules on the server it self just to be sure ??
>
>
> As Brad has already stated, it is always a good idea to have a fire-
> wall running not only on the "dedicated" firewall/router machine, but
> also on the server itself. - Although Your setup doesn't really need
> such additional instance, it won't harm, either.
>
> You're running apache, so You need to allow both incoming and outgoing
> traffic from/to port 80. Fine.
>
> As for sendmail, how do You use it...? - Are You running it to receive
> messages only, or is it Your MTA? Depending on that You will have to
> decide about Your firewalling rules. (N. B. I assume that Your sendmail
> is configured correctly, and hence, securely!)
>
> If You do not provide any service at 8080 and 110 on that server, You
> simply needn't block any traffic to/from these ports, neither on that
> smoothwall thingy of Yours, nor on the RH9.0 box itself.
>
> The better idea is to block everything except for the explicit traffic
> You want. Here, it doesn't matter whether smoothwall or the server it-
> self does the "blocking" in this context. - Since both would use exactly
> the same algorithm to achieve this, don't have an additional firewall on
> Your server but let the firewall do its job.
>
> For now. - When once You want to modify services on Your server, You'll
> be better off making the router a "dumb" router (the smoothwall thing),
> and make each server protecting itself against illegal access. (Again,
> in a properly configured system, You needn't even do that, because only
> running services will be served, everything else will die anyways. But
> nowadays, sometimes You simply can't tell.)
>
> Bottom line: You're safe enough with Your smoothwall for now, no need
> to double-inspect any incoming traffic. IF You have the ability to do
> such doubling, simply do it as long as there is no loss of performance
> involved. - And, reconsider what You are using sendmail for. If it is
> only to receive SMTP, don't allow sendmail to make connections to the
> outside world. Otherwise, You may make Yourself a spam-relay. - You
> can solve this by configuring sendmail correctly rather than disallowing
> it to establish connections, but many of the posts not only in this NG
> show that most admins come to their limits when it comes to doing just
> this, configuring sendmail.
>
>
> Cheers, Jack.
>

Smoothwall forwards port 8080 as well as port 80 to port 80 on the RH
server , and I have some accounts that use pop to get mail so 110 is
also used. other then that most gets blocked at the firewall. I have
received logwatch reports that sendmail has rejected relaying from xyz,
so can I assume that part of sendmail is ok? I also don't want apache
taken over by someone and used for their wrong doing. What can I use to
prevent that?

John