Chris Pugrud wrote:
> Part of your firewall planning is needing to determine what to support.
> In Windows based organizations I have found the answer to generally be
> http, ftp, and smtp (web and e-mail basically). In this situation it is
> relatively easy to set up a simple, effective firewall using Linux,
> Apache, and Qmail.
> Apache has a pretty good web/ftp proxy function built in. The caching
> functionality doesn't seem to be very effective, but I really haven't
> played with the settings. For added security I tend to run two apache
> daemons, one for the inside with the proxy functions built in, and one
> for the outside web server that is stripped and gutted to the bare
> essentials (the less code there is, the less that can be compromised).
Apache is quite stable. You should let it run in chroot() environment.
For security purposes I really only trust CERN-HTTPD. It's the only
one, which is bullet proof.
> Qmail is very fast and effective as an e-mail gateway. I would
> recommend using an internal e-mail server, and just have Qmail relay
> mail between the world and the office. Qmail also has a very easy setup
> to disable the relay functionality, so you can avoid being victimized by
> spammers using your server.
QMAIL still is not bullet proof, but seems to be better than sendmail.
I'd recommend a sendmail proxy (there are some free ones) and qmail
running in user-mode.
> If you strip and gut the Linux server appropriately you will end up with
> a very tight configuration, with only three ports open to attack (http,
> smtp, and dns). A complete configuration with pwebstats for traffic
> analysis and reporting, apache, qmail, and all of the tools you acutely
> need on the server is less than 20 MB. Be sure and setup a separate and
> large partition for log files.
I am not really sure about, that buffer overflows are not possible
with bind. I would suggest to be very carefull. I will test it right
By the way - I've found LINUX to be very stable and save, if you invest
some time to harden the system.
cu, Guido Stepken