Re: IPTABLES

Fri, 20 Oct 2006 07:43:59 -0700 

Parsons Technical Services wrote:

So, if I read correctly you have no problems running you apps as root?


??? Sorry if I gave that impression; I run Tomcat
standalone as a non-privileged user, doing port
forwarding with iptables.

I thus depend only on iptables, a Sun JRE and Tomcat,
the simplest, smallest & most reliable set I can
think of.  Apache httpd and jsvc may be fine, but
I don't ever have to worry about newly discovered
vulnerabilities, patches, version compatibility etc.
with them.  Spurning them is not a judgement of their
quality, just keeping my config as simple as possible.

That's (part of) my "security posture"...

Paul Singleton

PS if you know how to configure iptables to also
forward internal requests to localhost:8080 please
pass it on!



If this is true, then I say you have a very weak security posture.


Might I suggest you do some additional research on the subject. And that 
those who run things in a chroot jail must be real paranoid freaks.


And now this post is way off topic.

Doug


----- Original Message ----- From: "Paul Singleton" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, October 19, 2006 7:21 PM
Subject: Re: IPTABLES



Christopher Schultz wrote:


Apache httpd is configured out of the box to start up as root, bind to
port 80 (or really any port), and then drop its privileges to the httpd
user. Without some really nasty code, Tomcat is unable to do the same
thing, so we're forced to do silly things like internal port forwarding,
etc.


The "root-only-access-to-low-ports" policy of
Linux is a legacy from the days when Unix systems
were typically multi-user: it is a heavy-handed way
of stopping the oiks from running unauthorised
servers.

In a secure server it is unnecessary, indeed
counterproductive when it tempts us to run services
as root, or to use tricksy workarounds.

Linux should make this switch-offable (without
having to recompile the kernel).

The only problem I've found with standalone Tomcat
plus iptables port forwarding (apart from the need
to understand iptables :-)) is that web apps can't
make requests to themselves at port 80, but have to
use 8080 or whatever.

Paul Singleton



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to