> > > A good idea in principle, but it won't stop buffer > overflows targeted at > > port 80- after all, the firewall would have to let such > traffic through or > > the web server would be unavailable. Sophisticated > firewalls exist for lots > > of cash that can block some attacks, but most off-the-shelf > unixes with > > IPFILTER compiled into the kernel aren't going to handle that. > > OTOH; say someone exploits a script bug on your server that fetches a > backdoor from elsewhere on the internet. That backdoor binds to a > predetermined port and gives them a shell. This is 'the usual' way of > getting into php nuke sites, as I found out firsthand a while back :( > > If your firewall doesn't allow outbound http requests they > can't fetch the > backdoor program. If you don't allow inbound connections on any port > other than 80, they they can't get to a shell even if they did install > and run their backdoor program. The same script flaw is still > there, but > behind a strict firewall it's almost impossible to do anything with > it. >
All good points; however, I certainly wasn't advocating leaving a web server unprotected entirely. :) Web servers should be port-80 (and 443 if necessary) enabled inbound, and have no ability to go outbound that isn't strictly necessary. Corey ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. #########################################################
