Does a Server need a local firewall?

[KWhat]

I have some what of a general question concerning server security.

I recently setup a gentoo server to replace a redhat server we had due to redhats licencing requirements and the fact that gentoo is 100x easier to manage.

The question is, does this server need a local firewall similar to the redhat setup? It is a fairly simple web server with mysql, samba, etc. It is accessable both internally and externally, and it is behind a firewall externally. I dont really see any reason to have a local firewall on the box but then again I am not a sys admin. Also if i really should have a firewall inplace is their a nice guide somewhere that can walk me threw the iptables config? I have setup iptabes in the past for routers however never for a webserver.

Thanks in advance.

[nixnut]

[GNUtoo]

mabe the question would be...would i be more secure over a firewall

you seems to have samba shares so you could or add your local machines in your firewall configuration or edit smb.conf for the ip(do the same for ssh unless you want to be able to acess ssh from anywere)
also have strong identification for ssh
scanning the whole internet for open ssh port take one day with 500 compromised machines
avoid password or use something like denyhosts because you will have people or machine trying to gain acess to your server trough ssh

a firewall is useless for protecting external services because the ports need to be open in order to work correctly for evrybody
but maybe for protecting internal services it could be a good thing if they don't have a config file that can deny access to the outside world like smb.conf or sshd_config
you could also set-up an IDS like snort

by the way wich gentoo did you choose?
hardened gentoo or the normal one?

be carefull i am not a sysadmin so i have no experience of the real world

by the way firewall may be able to control the acess of the machines based on a lot more caracteristics than simply the ip(like the sshd_config or the smb.conf does),like the aplication used,the mac adress or the operating system(see NuFW for that)

you could also look for tcp wrapper
http://en.wikipedia.org/wiki/Tcp_wrapper
# cat /usr/portage/profiles/use.desc | grep tcpd
tcpd - Adds support for TCP wrappers

roughly use tcpwrapper or modify the config files(remember that an ip can easely be changed) in order to protect your ssh from your local network...you can also disable ssh if you have physical acess to the machine

the problem is also that mac adress can also easely be changed
you also have identification possiblities for a network such as radius and NuFw(be carefull there is 2 windows client and one is not free as in price)

do you use wireless?
have you physical acess to your server
can the employee acess the server?(the case of the server must be secure and the console should be locked)
do you need to acess ssh from a remote location?
even the keyboard is a risk...someone could buy an identical keyboard and remplace your keyboard with one that has a keylogger...(so ssh is more secure)
security is a hard task...

[KWhat]

The machine is protected by the general firewall so internal access is limited and external access is denied for things like ssh and smb so im not terribly concerned. Also the serivices that are running are going to be availabe to everyone internally such as apache and mysql. I dont think the firewall would hurt although its one more pain in my ass. FYI I am using the normal gentoo install not the hardened one.

[GNUtoo]

rhel had selinux... the normal gentoo doesn't have it
if you want to deny acess from the internal network for ssh in the case you have some employree that are also hackers...lol you can install a firewall or use the config files or use tcp wrapper
if you have wireless acess you should do it