Originally Posted by till
I agree in case you run services that shall not be available for external users.
But normally you run on a webserver only services like apache, pop3, imap, smtp that shall be used from outside, so these ports are open anyway. It makes no big difference if the firewall is on or not, as these ports are open anyway for all running services.
This does not apply for firewalls for a network or a firewall on a desktop that shall not accept connections from outside.
I fully agree with your point.
But that is only valid if you know in advance exactly what services (and ports they are using) are running in the server at boot time.
But if one day by any change (and trust me, this things happen) I forget a service startup that has a vulnerability of some sort (and they are so many to mention ... ) that could be a serious problem.
Moreover, my server is used by other programmers that have repositories with their development ... I fully and totally trust them ... but has we all know
us Java Developers, are know to make "imaginative" server-side programs ... sometimes to save a login under ssh ...
Well ... I do not expect a lot of reboots ... so this should not be a problem.
Anyhow, it is too late now to make this things wait any longer.
I simply have to be more cautious.
I will change the ntp startup order for after the ISPConfig (it is the one that takes longer this will dramatically reduce any type of attack attempt).