Hi, Firstly ensure that you have loaded all the neccessary security patches for the daemons/proggies that you are running. This will close any possible exploits that are out there. Secondly, a firewall is normally only used when a company's internal network needs to be protected from an external untrusted network (like the www). SuSE have implemented something called a Personal Firewall which is very good for those that are highly paranoid / or really want that extra level of security / or want to impress there friends. However, if you have loaded the patches, and disabled all the services you don't really want to use, then in my honest opinion, I don't think you need to use the firewall. In the end the decision is yours, I run Personal Firewall on my laptop, specifically because I plug my laptop into many customer's networks for extended perioeds of time and I don't want anyone to mess around with it. I hope this helps Q On Thu 27 Sep 01 03:50, Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe".
I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them. CGI is still there, but it's not activated on any host except the "default" host (which is only accessible from 127.0.0.1) and there are only two CGI scripts; These are the english-language "search" scripts that hunt through the documentation for keywords and topics, used by the SuSE help system, which I've kept onboard -- both of which I've audited for security. There were similar scripts to search in other languages, but since I'm not using other languages, they are gone now.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
I keep copies of my websites offline, on floppy disks. Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily.
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
Bear