Shorewall for web server?

[Jeffrey Tadlock]

Timothy Murphy wrote:
> I still don't really see any great advantage
> in running the web-server on a different machine to the firewall.
> Can one not restrict the part of the computer 
> accessible through the web-server in a reasonably secure way?

You can certainly take efforts to keep your web server patched up and 
secure (including web apps above and beyond the web server itself). 
This will go far in keeping your box secure and should keep out the 
"casual" attacker.  It really comes down to the environment you are 
running in and what you are trying to protect.

But if someone manages to exploit your system via your web server or app 
you have installed and the attacker manages to get root, they own your 
system now.  Including tweaking your firewall ruleset to give them 
further access to your network.

By keeping all unnecessary services off your firewall you reduce the 
number of places an attacker can try to exploit - hopefully keeping your 
firewall safer in the long run.

Again, it comes down to what you are trying to protect.  I have on home 
setups placed the web server on the firewall and just made sure to keep 
everything up to date and be wary of what apps I run on the box based on 
their past security track record.

-J