| 6:30 pm on Nov 27, 2006 (gmt 0)|
You need a firewall if you are going to connect a server to the internet. Otherwise, you may expect intrusions within a few seconds.
Combined firewall/routers are available for less than $100 U.S.
| 12:10 am on Nov 28, 2006 (gmt 0)|
just to expand on jim's reply:
a hardware router/firewall will face "the internet" and handle service requests to your IP address.
it translates some or all of these requests to a virtual IP address. (your computer)
you can easily configure the firewall to reject most requests unless they are in response to an outbound request.
for example you can specifically prevent inbound http service requests which would prevent outside access to your apache server.
| 5:18 pm on Nov 28, 2006 (gmt 0)|
Ok, thanks for the help guys. Will a software router like McAfee do?
| 5:40 pm on Nov 28, 2006 (gmt 0)|
Not really. If you get a broadband connection you may well have a hardware firewall built in to the router. If not, the Belkin routers have one. Your local network (LAN) is one separate network, the connection to the Internet is via the router and the two are solidly kept apart.
Your router should have a configuration program or interface (often web based) to allow you to simply deny ALL incoming requests.
| 7:33 pm on Nov 28, 2006 (gmt 0)|
What OS are you running on this machine?
Linux has good firewalling capability. Still, I would use a hardware firewall/router. (The two terms have become confuzled lately...)
How do your protect the machine you currently use to browse the web?
If you are going to connect more than one computer to your Internet connection, you need a router anyway. Most/all modern routers include firewall protection.
The key technologies are NAT (Network Address Translation), stateful packet inspection, and application-level firewalling.
If you have DSL service, you may already have NAT built-in to your DSL modem. This is less common with cable modems. The built-in NAT may well be "good enough", but may lack the flexibility of dedicated firewall/routers.
Special needs that might be best addressed by a seperate firewall/router include providing access to servers, using file-sharing networks (BitTorrent, etc.), VOIP, etc.
All modern firewalls implement the first two, and many the third.
NAT translates between your internal network addresses to a single public address on the Internet. Generally, by default, NAT allows NOTHING in from the outside, other than responses to internally-generated requests (this is stateful packet inspection). If you want, for example, to allow access to a web server on your internal network (say, to allow a client to test) you have to go out of your way to enable that.
Application-level firewalling adds an awareness of higher-level protocols (such as HTTP, SMTP, etc.) and inspects for specific exploit patterns.
| 9:07 pm on Nov 28, 2006 (gmt 0)|
If you have a router with more advanced capabilities, one-to-one (when dedicated IPs are used) NATs for only specific ports (80 and 443 for me) are a good way to reduce load on the stateful packet filtering firewall. I also find this practice simplifies my infrastructure (I am able to configure all web servers with internal IPs and just change the mapping on the router if I decide to switch providers).
Specific to Apache, I use mod_security and mod_dosevasive to provide additional protection.
mod_security allow you to filter out specific behaviors while mod_dosevasive provides (some at least) protection against single sourced denial-of-service attacks.
| 10:04 pm on Nov 28, 2006 (gmt 0)|
If you don't want people to easily find your Apache server, move it to some wacky port like 8118 or something, then you can access it by appending ":8118" to the Apache requests and others won't know where to find it without port scanning.
| 10:14 am on Nov 30, 2006 (gmt 0)|
|Basically, is it safe to do so? Will people be able to access my files? |
Do you need to allow any inbound access to your PC? Are you hoping to set up pages on your system that people on the outside will be able to view pages on your system? (I wouldn't recommend this...)
If you don't need the outside world to see your PC, simply block all inbound connections at your firewall....
| 5:14 pm on Nov 30, 2006 (gmt 0)|
If you are using a home DSL/cable, you had better be aware that your upstream bandwidth is only 32-46kbps. This is going to make it very slow for most surfers to access you home website. If you have more than 2-3 people your site will drag.
Also, your ISP probably has rules against hosting unless you have a static IP setup, and even then ISPs frown upon home users serving web pages.
| 6:45 pm on Nov 30, 2006 (gmt 0)|
|If you are using a home DSL/cable, you had better be aware that your upstream bandwidth is only 32-46kbps |
You might want to shop for a new provider as my cable has 300kbps upstream.
Not great, but it's as good as it gets here.
| 8:22 pm on Nov 30, 2006 (gmt 0)|
Actually, the poster never stated that he planned on making the machine available for incoming connections from the Internet. Just that he was connecting a machine to the Internet that is currently isolated from it.
Perhaps some clarification would be helpful.
BTW, I enjoy a 1mb/sec upstream speed (12mb down/1mb up) through a cable modem. However, it is of course against the provider's TOS to host a web site on the connection. And, frankly, that is just not acceptable for a website today. I can transfer FROM my datacenter-hosted website at the full 12mb/sec speed of my home downstream connection. I see speeds quite a bit higher than that when, say, loading software onto the site from repositories on the net.