From owner-freebsd-questions@FreeBSD.ORG Thu Aug 10 04:01:02 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47F1B16A4DF for ; Thu, 10 Aug 2006 04:01:02 +0000 (UTC) (envelope-from on@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B54E43D45 for ; Thu, 10 Aug 2006 04:01:01 +0000 (GMT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.13.1/8.12.11) with ESMTP id k7A40d2Z094403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Aug 2006 11:00:40 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.13.3/8.12.11) id k7A40xSo035416; Thu, 10 Aug 2006 11:00:59 +0700 (ICT) Date: Thu, 10 Aug 2006 11:00:59 +0700 (ICT) Message-Id: <200608100400.k7A40xSo035416@banyan.cs.ait.ac.th> From: Olivier Nicole To: zope@2012.vi In-reply-to: <44DA230F.20407@2012.vi> (message from beno on Wed, 09 Aug 2006 14:01:51 -0400) References: <44DA230F.20407@2012.vi> X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/) Cc: freebsd-questions@freebsd.org Subject: Re: Doing Routing On My Production Server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Aug 2006 04:01:02 -0000 > I'm updating my firewall and I've found a nifty how-to that recommends > using a BSD box in front of another box as your firewall, using the > first as a router and passing one NIC to the other box. Can't all that > be done from the same box? I am not sure I know what you are doing. What do you have on your production server. If you have one web server as production server and a serie of workstations on a NAT'ed local network, it is possible to have your production server hook onto the network and do the NAT stuff for your local network. It works, but it is certainly not advisable (for anything except home network?). A web server and a router/NAT are two very distinct type of machine, resources, needs, so it is better to leave them separated. On a web serveryou will end up adding lot of ports/external softwares, each of them having their possible flaws, and needing frequent updates, a router is a stock system, etc. Now the firewall thing. Security is build by adding level after level of different security features in order to slow down a hacker. There is no "one solve it all" solution. So having a global firewall running on a router machine is a good one more level solution. You will still run a firewall on your production server (and TCP wrapper, and disable uneeded services, and properly bind each service to only the needed interfaces). And if your router/firewall is of different type than your server, maybe one is faulty and can be break through but the second will not open back door to the same defect. In fact, but that is not a commonly shared thought, I like the firewall to be on an IP less machine, sitting like an Ethernet device that cannot be contacted through TCP/IP. Olivier