Date: Thu, 10 Aug 2006 11:00:59 +0700 (ICT) From: Olivier Nicole <on@cs.ait.ac.th> To: zope@2012.vi Cc: freebsd-questions@freebsd.org Subject: Re: Doing Routing On My Production Server Message-ID: <200608100400.k7A40xSo035416@banyan.cs.ait.ac.th> In-Reply-To: <44DA230F.20407@2012.vi> (message from beno on Wed, 09 Aug 2006 14:01:51 -0400) References: <44DA230F.20407@2012.vi>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm updating my firewall and I've found a nifty how-to that recommends > using a BSD box in front of another box as your firewall, using the > first as a router and passing one NIC to the other box. Can't all that > be done from the same box? I am not sure I know what you are doing. What do you have on your production server. If you have one web server as production server and a serie of workstations on a NAT'ed local network, it is possible to have your production server hook onto the network and do the NAT stuff for your local network. It works, but it is certainly not advisable (for anything except home network?). A web server and a router/NAT are two very distinct type of machine, resources, needs, so it is better to leave them separated. On a web serveryou will end up adding lot of ports/external softwares, each of them having their possible flaws, and needing frequent updates, a router is a stock system, etc. Now the firewall thing. Security is build by adding level after level of different security features in order to slow down a hacker. There is no "one solve it all" solution. So having a global firewall running on a router machine is a good one more level solution. You will still run a firewall on your production server (and TCP wrapper, and disable uneeded services, and properly bind each service to only the needed interfaces). And if your router/firewall is of different type than your server, maybe one is faulty and can be break through but the second will not open back door to the same defect. In fact, but that is not a commonly shared thought, I like the firewall to be on an IP less machine, sitting like an Ethernet device that cannot be contacted through TCP/IP. Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608100400.k7A40xSo035416>