Date: Sun, 31 Jul 2005 21:56:09 -0400 From: Jeff <jeff.dyke@gmail.com> To: Chuck Swiger <cswiger@mac.com> Cc: questions@freebsd.org Subject: Re: dmz server setup - opinions Message-ID: <42ED8139.1080507@azimapower.com> In-Reply-To: <42ECFE39.7090108@mac.com> References: <42ECEBC4.3020605@azimapower.com> <42ECFE39.7090108@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > Jeff wrote: > >> I realize this may be partial religion and then potentially bias due >> to the list but here goes anyway. > > > There is nothing wrong with bias, per se, if you are aware that it > exists. :-) > >> I need to build a DMZ server, of sorts, that will sit on the public >> internet. It will take in data from embeded devices and in turn >> services from behind a firewall will pull data from it to later >> process. The main processes that i need to run are ftpd,httpd, >> possibly smtpd(sasl2,tls), and later proprietary code that talks to >> the embeded devices. > > > A "DMZ server" implies you are setting up a "screened public subnet" > along with a backend LAN subnet. If you are setting up a firewall with > three interfaces, OK, but you should avoid running any services on that > box except for IPFW/dummynet/PF/ALTQ/whatever. > > If you are setting up a box that has two interfaces, one with a public > IP and one doing NAT to a private LAN subnet, that is still a firewall, > but you don't have a DMZ. understood, thats the reason for the 'of sorts'. > > If need be, you can run proxy services on that box, but it still would > be better from the standpoint of security to run them on an internal box > via NAT forwarding of whatever ports are needed. > >> Originally i was thinking of using OpenBSD, as it seems to lend itself >> very nicely to the public but secure environment. On the other hand, >> if i were to use FreeBSD, i could jail each process, granted i could >> also chroot each process in OpenBSD and httpd is already done for me. >> >> I will be running a firewall on the box either way and will also have >> sshd and rsyncd running, only allowing access from the internal network. > > > OK. > >> I have move expierence with freebsd, but my limited knowlegdge based >> on an install and configuration of openbsd3.7 has made me comfortable >> with it as well. >> >> Any opinions on which OS is better suited for the task? Security and >> reliablity are the foremost concers( aren't they everyones ) and i >> think both OS are more then up to the task. > > > Both OSes are up to the task. If you are going to just set up a > firewall, using OpenBSD would be an easy choice. > > However, it sounds like you plan to install at least your custom > software, a web server, and several other 3rd-party pieces: FreeBSD > ports makes doing that and keeping it up-to-date securely very easy via > portaudit & portupgrade. > > Many people seem to value things like "cost" and "performance", or even > "convenience", more highly then they value "security" or "reliability". > Don't take this for a suggestion to change what you are doing, however. > :-) true. Cost is just my time, and i feel performance between the two is negligible( Dell 750 Pentium 4 3GHz, 1G Ram 2 73G Drives RAID 1 ). I'd spend extra time/money, within reason, for security and reliability...how's it go? pay me now, or pay me later....heh. I appreciate the input. I'm now leaning going back inside the firwall with this, with freebsd, using jails for httpd/ftpd and allowing the current external firewall to continue its work using NAT and if i need the DMZ, set up an actual one, not just a public cache server, as i had explained here. again, thanks jd >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42ED8139.1080507>