Firewall Wizards mailing list archives
Re: Firewall to protect web server
From: woody weaver <woody () rt1solutions com>
Date: Tue, 25 Apr 2000 15:03:26 -0700
On Fri, Apr 21, 2000 at 10:20:39AM -0400, Jim Ide wrote:
Hello - I am in the process of setting up a web server (red hat linux, apache, mysql, php) in my main office. It will host a database which will be updated by users at several remote offices. This will not be a public web server - it will be only for the use of company employees (access will be denied to all except for a short list of ip addresses). I want to install a firewall to protect the web server. There will be no other computers behind the firewall (I may add more web servers later, if needed).
[...] Two cents: this seems like a good candidate for not using a firewall but using only access control lists on perimeter routers and some hardening of the box itself.
1. The apache web server (and other web servers) can be configured to allow/deny access based on the ip addresses and domain names of incoming requests. Firewalls can also be configured to do this. Should I use apache, firewall, or both, to block incoming http requests? Advantages / disadvantages / considerations to these approaches?
Both is clearly better from a security perspective, since if you accidentally misconfigure one the other will catch it. Only one is clearly better from a management perspective. I'd err on the side of safety, but YMMV. In general, I wouldn't trust domain name information. Use IP address information if you know your clients well enough. [...] --woody
Current thread:
- Firewall to protect web server Jim Ide (Apr 24)
- Re: Firewall to protect web server woody weaver (Apr 26)
- Re: Firewall to protect web server R. DuFresne (Apr 26)