Return to BSD News archive
Newsgroups: comp.unix.bsd.freebsd.misc Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!newsroom.utas.edu.au!munnari.oz.au!spool.mu.edu!howland.reston.ans.net!tank.news.pipex.net!pipex!news.mathworks.com!uunet!in2.uu.net!spcuna!ritz!bet From: bet@ritz.mordor.com (Bennett Todd) Subject: Re: Looking for advice on FreeBSD WWW server References: <43o0rb$8sq@pandora.enet.net> Organization: Mordor International BBS - Jersey City, NJ Date: Wed, 20 Sep 1995 13:02:15 GMT Message-ID: <DF7G7r.AL@ritz.mordor.com> Lines: 37 Well, I got some good news and some bad news. The good news is that I've set up a www server (www.mordor.com) using Apache on FreeBSD and it cooks along quite happily. I can recommend this combination. I'm afraid I don't have experience with other daemons (aside from NCSA httpd) and so can't give a comparison. The bad news is that I __Strongly__ recommend Don't Do It! Here's why: a Firewall is a well-defined job. It is intended to maintain the security of the protected net in the face of determined and sophisticated attacks from the unsecured net. Either FreeBSD or Linux could probably do that; I'd personally go with FreeBSD because its networking has a longer history behind it:-). A Firewall machine should __NOT__ run anything that will tend to make it easy to burgle: this means no user logins, no sendmail, and _No_ HTTP! HTTP is cool, it's amazing, it's great --- and it's the most complex of the popular protocols. There have already been many, many security holes found in it --- and they all (naturally) allow an outsider to burgle the WWW server machine. Use 2 PCs. Really. Put WWW on a ``sacrificial'' machine outsize the firewall. Run an HTTP proxy on the firewall to let users on the inside access it. Let users on the inside that need to maintain it have logins on it, and get at it through a telnet proxy. Back it up regularly; run tripwire to detect when you get burgled; do your best to keep it running and available in the face of intrusions. Do \Not/ run HTTP on your firewall; then rather than periodically losing your HTTP server until you can restore from backups and (try to) fix the latest hole, you'll be having vandals storming your entire internal network. That would be ``Bad''. -Bennett bet@mordor.com -- -Bennett bet@mordor.com http://www.mordor.com/bet/