Dirk Schreiner wrote:
Crispin Cowan wrote:
on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :)
Oh, you can chroot apache fairly well.
True, if you use any of a variety of confinement mechanisms (chroot, virtual machines (Xen, VMware, UML), AppArmor, SELinux) then you can achieve sufficient confinement of the web server that your firewall could be safe enough. The issue is how easy or difficult it is to achieve that, and to achieve it correctly because if the confinement has holes, then your security is at risk again. Chroot, in particular, has issues with being escapable if it is not configured correctly, so be careful. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com