> A good idea in principle, but it won't stop buffer overflows targeted at > port 80- after all, the firewall would have to let such traffic through or > the web server would be unavailable. Sophisticated firewalls exist for lots > of cash that can block some attacks, but most off-the-shelf unixes with > IPFILTER compiled into the kernel aren't going to handle that.
OTOH; say someone exploits a script bug on your server that fetches a backdoor from elsewhere on the internet. That backdoor binds to a predetermined port and gives them a shell. This is 'the usual' way of getting into php nuke sites, as I found out firsthand a while back :( If your firewall doesn't allow outbound http requests they can't fetch the backdoor program. If you don't allow inbound connections on any port other than 80, they they can't get to a shell even if they did install and run their backdoor program. The same script flaw is still there, but behind a strict firewall it's almost impossible to do anything with it.
