The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Linux/apache/firewall security

We have an intranet that I have to maintain for a while. How can I block access from the outside world? Our intranet website is supposed to be brosed internally but I've seen some entries in access_log that is not on our network. This server is our firewall/gateway to the internet for internet access only and should not have outside access. Thanks.
Thursday, May 05, 2005
Purchase a hardware firewall from bestbuy or somewheres to stick between the internet and your network. 

Minimal setup and very low maintenance.

Sounds like a small mom&pop intranet - mebbe get something consumer level for around $100.
lumberjack Send private email
Thursday, May 05, 2005
It sounds like you have 2 NICs in the server (one for your internal network and one for the external/internet)? Make sure Apache is listening only on a specific IP address on your internal network. By default it listens on Port 80 on all IPs/interfaces in your server, which would be allowing public access.

Change/add the Listen directive in httpd.conf to:


(where is on your internal network), then restart Apache.
Thursday, May 05, 2005
I second Lumberjack's advice. I have a Linksys broadband firewall router with 4 ports at home. My only complaint is the dynamic DNS support doesn't work. But it allows you to easily configure which ports (if any) you want accessible to the outside, and which internal machine to rout the requests to. (I have ab FTP sever accessible to the outside world which I use to share files with people I work with in other parts of the country).

My Fedora Linux installation came with a lot of crap enabled by default. On machines that aren't running any servers, it's best to not start xinetd or any other daemons at boot-time. And you REALLY don't want to start sendmail! (You don't need this to send e-mail--you would need this if your box were a mail server, and a lot of viruses exploit sendmail to forward copies of themselves all over the place).
John Foxx
Friday, May 06, 2005
I would recommend picking up a second hand PC (anything faster than a low-end Pentium 3 would be most than enough) and install SmoothWall on it. It's a dream, providing you with the following:

* Intrusion analysis, logging. SSL/SSH-friendly remote administration.

* (Orange zone) DMZ, the (Green zone) Intranet is protected from the DMZ servers. This is where you put your public-facing DNS/Web/FTP/Email/Etc servers.

* Protection for the Intranet (Green zone), these are your workstations.

* Everything a hardware router/firewall from D-Link/Link-Sys can do. Plus it's Linux-based so you can do fun things like Cron jobs.

* A community working to provide up to the minute patching. The last time my D-Link had a update was many many internet years ago.
Li-fan Chen Send private email
Friday, May 06, 2005
What none of the hardware firewall nor Smoothwall will do is application firewall protection. You'll need to install Zone Alarm or Norton Firewall to do that. They are a pain but they give you the final decision on what traffic should go out from your individual PCs (stopping trojans).
Li-fan Chen Send private email
Friday, May 06, 2005
If you are comfortable with iptables yourself and are willing to try and put up with complex features of the firewall (Firewall Builder from Sourceforge will help the administration a little)... you could also protect sections of your intranet from each other. That way Accounting is separated from I.T. is separated from Marketing is separated from Software Development/R&D and so on.
Li-fan Chen Send private email
Friday, May 06, 2005
Aim a little higher.

The basic LinkSys/Netgear/DLink box is great for the home market, but for maximum reliability you want to aim at the small business firewall market.

Things like the Juniper NetScreen 5GT.

A little more expensive, but you'll find them much more reliable, with real support.
David Jones Send private email
Saturday, May 07, 2005
I second David Jones. Just try to pick a model with a large user base. Firewalls are utilized in all sorts of situations and threat models and it's hard to figure things out without any articles on google.
Li-fan Chen Send private email
Sunday, May 08, 2005
Thanks for all. I'll first try smoothwall. Is this for windows or linux? What will be the physical layout? e.g. my current config is <my existing firewall> + <internet dsl connection> . Is smoothwall acts like a bridge between firewall and the internet. e.g. <existing firewall> + <smoothwall> + <internet dsl>. Does <smoothwall> also require 2 nics just like my firewall? Thanks.
Sunday, May 08, 2005
user: it is flexible, it is an image that installs itself upon reboot. It hogs the entire primary hard drive and is linux based (so put it on an empty box). It can do all of those or just some of those. Please follow the smoothwall site for all the tutorial. What I like about the project is that they have commercial level documentation. Very responsible team.
Li-fan Chen Send private email
Monday, May 09, 2005
"Things like the Juniper NetScreen 5GT.

A little more expensive, but you'll find them much more reliable, with real support."

So how much are these beasts? Haven't found any prices for it on their site, just the lame "email or call us so we can determine the proper price to overcharge you."
Clint Send private email
Thursday, May 12, 2005

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz