You are not logged in.
- Topics: Active | Unanswered
#1 2013-08-09 10:57:51
- ReedWood
- Member
- From: Germany
- Registered: 2010-07-12
- Posts: 23
Services on a firewall machine
I want to set up a small box running a firewall for home use. I have read about the Simple
Statefull Firewall and ShoreWall in the Arch forum and on the net. What I couldn't figure out is, if
it is a no-go to run other services like a mail- or http-server on the same box as the firewall is
running on. I understand, that every running service introduces potential new security issues. The
question is, if the common opinion is, that I should spend another machine running 24/7 for such
services or not.
If you are running a dedicated firewall machine, which hardware are you using?
Thank you in advance.
Best,
Wolfgang
Offline
#2 2013-08-09 11:07:25
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,839
Re: Services on a firewall machine
There is no totally secure setup - there is more secure, and there is less secure, and as the system admin, it is up to you to decide where you want to be on that scale. IOW, not so much "no-go" as "do-I-want-to-go?" and "if-so-how-far?"
That said - yes, best practice is to not run any other services on your firewall.
Offline
#3 2013-08-09 14:11:18
- Foucault
- Member
- From: Athens, Greece
- Registered: 2010-04-06
- Posts: 214
Re: Services on a firewall machine
I would never run Internet facing services on a firewall machine as it is a potential security risk, especially through the common ports (mail, http, https, ssh). In the internal side, if your network is small (and you trust all the devices included) then I don't believe there is any problem at least for a small amount of services.
As for the hardware, dual LAN ITX boards with embedded cpu (atom, low power celeron, whatever) are nice and affordable. If you target even lower power footprint something like this should do the job equally well (no gigabit though). If you already have any spare computer around add some decent NICs and you are good to go.
Offline
#4 2013-08-09 14:35:57
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Services on a firewall machine
Strewth, this is for a home server, not Fort Knox. I would recommend:
Lock down all Internet-using apps using AppArmor (I'm quite an AppArmor fanboi/evangelist, these days).
Ensure that services are run as their own user & group, rather than as root.
Write your firewall manually, rather than using a "helpful" GUI.
Offline
#5 2013-08-09 16:50:21
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: Services on a firewall machine
I want to set up a small box running a firewall for home use. I have read about the Simple
Statefull Firewall and ShoreWall in the Arch forum and on the net.
I agree with brebs -- don't use tools like ufw, shorewall, etc. Configuring a firewalls is not meant to be easy 
What I couldn't figure out is, if
it is a no-go to run other services like a mail- or http-server on the same box as the firewall is
running on. I understand, that every running service introduces potential new security issues. The
question is, if the common opinion is, that I should spend another machine running 24/7 for such
services or not.
Who said that? For example, most home and bussiness routers serve as a firewall while running Dnsmasq/dhcpd among other things. Also, running ssh is fine (provided you have strong passwords or use keys). Moreover, by themselves web servers are not insecure. The insecurity starts when the web server invokes various poorly written scripts. FWIW, I know people who run web, media and torrent servers on their firewalls for years without an incident, although they use windows server. If you want to use web-based administration, make sure you configure HTTPS...
If you are running a dedicated firewall machine, which hardware are you using?
Thank you in advance.
Best,
Wolfgang
I personally used phenom x6 and opteron -based machines because those cpus don't eat many watts in idle. For a firewall-only device I would go for an MIPS (like most home routers) or ARM, but I also need to run a bunch of LXC containers...
Note, that unless you are setting up a firewall for a 10Gbps network with several 1000 clients, a firewall machine will always idle. Therefore, running a firewall on a pentium/desktop core2duo -class cpu is just stupid because those things consume LOTS of power.
Last edited by Leonid.I (2013-08-09 16:52:04)
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#6 2013-08-09 17:59:01
- ReedWood
- Member
- From: Germany
- Registered: 2010-07-12
- Posts: 23
Re: Services on a firewall machine
Thank you for your opinions and your links to hardware.
About not making it easy to set up a firewall. I am sure, one has to take the time to dive into the topic to understand what is going on. On the other hand, if a configuration procedure is error-prone, even for peoples knowing what is going in, using tools seems ok to me. That said, I have never configured a firewall befor, but from reading the arch wiki is seems to me, that iptable will do the job for me. :-)
Offline