binary only lfs system

Steve Crosby sneeble at
Sat Nov 23 16:40:00 PST 2002

Ian Molton <spyro at> wrote in
news:20021123102823.5063e3f2.spyro at 

> On Sat, 23 Nov 2002 10:15:00 +0000 (UTC)
> Steve Crosby <sneeble at> wrote:
>> >> hmmm, web server and firewall on the same machine?
>> > 
>> > 
>> > Whats wrong with that? a seperate machine for each task is not any
>> > more secure...
>> > 
>> It depends on your definition of "more secure"...
> I just knew someone would say that...
> I like your examples though. I may steal them :)

feel free.  No doubt I've probably stolen them from soneone one else at
some point...*grin* 

> TBH though, any compromised machine on the wrong side of the firewall
> is a hazard... (like, thats not obvious ;))

not nearly as obvious as one could least firewalls in general
are becoming more prevalent... 

and (also obvious *grin*) the purpose of the DMZ is to keep the
compromised machine(s) behind a working firewall between the home
machines and the DMZ... 


Firewall ---- Web/FTP/SSH Server (seperate network - DMZ)
Home Machine(s)

Compormising the servers still means breaching a firewall to access the
home machines.  And, if configured properly (which is always the catch),
the servers can be isolated from the internet too, so they can't be used
as DoS hosts... 


  Web/FTP/SSH can only contact the Internet/Home machine(s) if they are
  *first* contacted from the outside.  This means anyone connecting to
  the compromised server cannot simply access the Internet from that
  server, since the TCP connection must be initiated from the
  Internet/Home machine side.... 

Hope that helps someone out brain hurts now, so I'll be quiet
and go back to building/configuring/testing my CD-R based firewall using
LFS4.0 + hacks on my *sloooow* Pentium 150 (FYI: glibc-2.3.1 and gcc
3.2.1 built and working fine with the pwd-stub hack) - someone else on
the list expressed an interest in a minimal LFS-based firewall running
from CD, so I plan to write up the steps I used when it's done. 

- --
Steve Crosby
sneeble at
Unsubscribe: send email to listar at
and put 'unsubscribe lfs-support' in the subject header of the message

More information about the lfs-support mailing list