[ previous ] [ next ] [ threads ]
 
 From:  Marko Vukovic <marko at aquamanta dot co dot za>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] stateful / dynamic packet filtering on m0n0wall?
 Date:  Fri, 09 Dec 2005 00:44:58 +0200 
Lewis Edwards wrote:
> First, let me thank you for an excellent product and all the work you put
> into maintaining it.
> 
> I have a web server in a DMZ with only port 80 open to the world.  Right
> now, someone can telnet to port 80 and poke around with my Apache
> installation. Given the right person and the wrong installation, this can
> cause a lot of problems.  If m0n0wall had stateful (or dynamic) packet
> filtering then port 80 would only accept HTTP connections and the sysadmin
> could sleep (a little) easier.

Hi Lewis

M0n0 does have SPF. What you are looking for is some kind of 
application/protocol specific proxy. I would run the Apache webserver on 
some high port, only listening on 127.0.0.1 and then implement a Squid 
Caching server running in transparent mode.... aargh but this won't be 
possible on Win2K.

I don't think this is something you need to worry about since Apache 
will reject anything that is not a valid HTTP request anyway. Perhaps 
you should be more concerned with requests that *are* valid HTTP but 
that could cause buffer overruns and such.

Cheers
--
Marko