Re: Firewall to protect web server

[woody weaver <woody () rt1solutions com>]

On Fri, Apr 21, 2000 at 10:20:39AM -0400, Jim Ide wrote:
> Hello -
>
> I am in the process of setting up a web server (red hat linux, apache,
> mysql, php) in my main office.  It will host a database which will be
> updated by users at several remote offices.  This will not be a public web
> server - it will be only for the use of company employees (access will be
> denied to all except for a short list of ip addresses).  I want to install a
> firewall to protect the web server.  There will be no other computers behind
> the firewall (I may add more web servers later, if needed).
[...] 

Two cents: this seems like a good candidate for not using a firewall but
using only access control lists on perimeter routers and some hardening
of the box itself.
 
> 1.    The apache web server (and other web servers) can be configured to
> allow/deny access based on the ip addresses and domain names of incoming
> requests.  Firewalls can also be configured to do this.  Should I use
> apache, firewall, or both, to block incoming http requests?  Advantages /
> disadvantages / considerations to these approaches?

Both is clearly better from a security perspective, since if you
accidentally misconfigure one the other will catch it.  Only one is
clearly better from a management perspective.  I'd err on the side of
safety, but YMMV.

In general, I wouldn't trust domain name information.  Use IP address
information if you know your clients well enough.

[...]

--woody