A very good point made here on what you allow to go from your web server via the firewall. Alot of people only consider the threat of what comes in. Note that there are many tools that allow traffic to 'tunnel' through port 80, so if your firewall allows traffic out from port 80 then it can be exploited. Hard to do but it is possible. The bottom line as stated is keep to very strict rules, for both directions. And watch the logs!!!
On Sat, 2002-07-13 at 07:07, [EMAIL PROTECTED] wrote: > > > A good idea in principle, but it won't stop buffer overflows targeted at > > port 80- after all, the firewall would have to let such traffic through or > > the web server would be unavailable. Sophisticated firewalls exist for lots > > of cash that can block some attacks, but most off-the-shelf unixes with > > IPFILTER compiled into the kernel aren't going to handle that. > > OTOH; say someone exploits a script bug on your server that fetches a > backdoor from elsewhere on the internet. That backdoor binds to a > predetermined port and gives them a shell. This is 'the usual' way of > getting into php nuke sites, as I found out firsthand a while back :( > > If your firewall doesn't allow outbound http requests they can't fetch the > backdoor program. If you don't allow inbound connections on any port > other than 80, they they can't get to a shell even if they did install > and run their backdoor program. The same script flaw is still there, but > behind a strict firewall it's almost impossible to do anything with > it. > >
