Firewall really necessary?

[Cliff Wells]

On Sat, 2008-04-12 at 22:29 -0400, Amer Shah wrote:
> Hello friends.
> 
> This isn't strictly an nginx question but I thought it might be useful
> to others on this list as well so I'll ask.
> 
> So I have a freebsd 7.0 server running. Inetd is disabled and I'm only
> running 2 services. Nginx listening on port 80 
> and sshd listening on some random hight port. Ftp is enabled but
> that's listening for connections on the Local Network only.
> A sockstat -4 confirms these are the only 3 services listening on any
> ports and a server reboot confirms that rc.d has been
> set up correctly to only listen for these 3 services on a reboot.
> 
> My question is, for such a setup is a firewall really necessary? I
> don't think it is since this is such a simple server with only
> these 2 services running. I don't expect any complicated DDOS attacks
> that an intricate firewall would be able to thwart.

Technically, no.  However you have two potential issues: 

1) With all those open ports (whether or not anything is listening on
them), your system is easily fingerprinted by scanning tools.

2) If you ever make a mistake, or do an update, you might accidentally
end up with a service you weren't expecting listening on an external
port.

3) If ssh or Nginx (or an application that Nginx is exposing) got
hacked, the hacker now has a plethora of ports to attach services to for
his own use.

Incidentally, you can run the firewall on the same box.  This isn't as
secure as a separate firewall but is better than nothing.

Regards,
Cliff

> Thanks!