Ok, this might be a bit lengthly, so bare with me. There is some setup to this. I am in the process of hosting my own Web Server, Mail Server, FTP Server, and whatever else I can think of from my home. I plan on running Linux everything for obvious reasons. I have a LINKSYS router. I have disabled remote administration and PING on my router. So to the outside world, it is pretty invisible. Priliminary testing, I have setup a web server and an FTP server, both on standard ports 80 and 21. I setup port forwarding on my router so that incoming requests on those ports get forwarded to the appropriate internal address. All works beautifully. So now I am concerning myself with security. My web site I have hosted at IMHosted does not get a lot of traffic. It's more for me and my friend to document things, but we still want it available. Anyway, I know how to handle IPTables in Linux but I am wondering if I REALLY need to do this? Here is my thought: Linux is pretty darn secure in the sense that I don't have to worry a lot about worms and viruses. My biggest concern on my Web Server is DoS attacks. Now I know that if I am getting a DoS attack and can determine the IP range I could use IPTables to block that IP range until the attack was over. This is something I can't do with my router alone without just turning of port 80 forwarding. But I am not sure if I want to deal with a firewall for the simple little things I am doing. In a nutshell, how important is having a firewall in front of a LINUX backend for a home environment like I am setting up? Just looking for opinions and suggestions here. Thanks. [ August 29, 2003: Message edited by: Gregg Bolinger ]
I am in the process of hosting my own Web Server, Mail Server, FTP Server, and whatever else I can think of from my home. I plan on running Linux everything for obvious reasons. I do something similar, although the web server is not really "public", as my cable provider is not as tolerant as your DSL supplier seems to be. I access the system to read my home email via a web front end while I'm on a client site behind a firewall, and so on. Anyway. I use a specialised Linux distribution which incorporates a firewall for just this sort of application. So far it's been *much* more robust and intruder-proof than a stock RedHat system I ran at a colocation facility for a while (sad story on request). I find that this distribution offers everything I need in a web/mail/FTP/file server without all the bloat installed by a typical "desktop" Linux distribution. I have been running e-smith happily for several years (and several versions). Check out http://www.e-smith.org/ for the software I use. There are also some others, but I haven't tried them seriously.
I firewall in the router, in each of the front-end LAN Linux machines AND on the NAT pass-through to the back-end LAN Windows Machines. Firewalls have been known to have bugs, but the odds of all 3 firewalls succumbing to the same bug (especially when different software is involved) are fairly low. As is the likelihood that I would have missed an exploit in all 3 sets of rules. I suppose there's a performance penalty, but I consider cheap insurance.
An IDE is no substitute for an Intelligent Developer.
I also have a router which has an inbuilt firewall and my Linux box which serves up both my girlfriends and my web pages. I still run the firewall on my Linux box as well as having the router's firewall. IPTables is fairly easy to setup when basically denying everything (or nearly everything) and it gives me an extra line of defence if ever the router's firewall failed. Regards, Andrew
You might also want to check out ClarkConnect. Awesome distro that provides many features you are looking for. It's based on Red Hat 9.0 by the way if that means anything. The installation is soo simple and provides a very friendly web-based UI for administration. http://www.clarkconnect.org [ September 02, 2003: Message edited by: Hung Tang ]