From owner-freebsd-questions@FreeBSD.ORG Mon Aug 1 01:54:06 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF6D516A41F for ; Mon, 1 Aug 2005 01:54:05 +0000 (GMT) (envelope-from jeff.dyke@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61EC943D46 for ; Mon, 1 Aug 2005 01:54:05 +0000 (GMT) (envelope-from jeff.dyke@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so1243615rna for ; Sun, 31 Jul 2005 18:54:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:reply-to:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding:from; b=QMeXI2b9b5FE0iiOgwNWEXRWop9SeQ8J+nVOLpvlyLDuwS74UlvemWbMKYj1SpfeUTYHMRVWC+PAfewQa8m0rx+s+PbnvloatoVL6MtsPXJT7EUIPVW/MLfIRbneU1B7/S2rbwTkBvGp2gAt1eH452LzDgBnLQu56C96ebwd1co= Received: by 10.38.12.2 with SMTP id 2mr1246663rnl; Sun, 31 Jul 2005 18:54:04 -0700 (PDT) Received: from ?192.168.15.100? ([66.31.74.215]) by mx.gmail.com with ESMTP id k21sm154390rnb.2005.07.31.18.54.04; Sun, 31 Jul 2005 18:54:04 -0700 (PDT) Message-ID: <42ED8139.1080507@azimapower.com> Date: Sun, 31 Jul 2005 21:56:09 -0400 User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chuck Swiger References: <42ECEBC4.3020605@azimapower.com> <42ECFE39.7090108@mac.com> In-Reply-To: <42ECFE39.7090108@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit From: Jeff Cc: questions@freebsd.org Subject: Re: dmz server setup - opinions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jdyke@azimapower.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2005 01:54:06 -0000 Chuck Swiger wrote: > Jeff wrote: > >> I realize this may be partial religion and then potentially bias due >> to the list but here goes anyway. > > > There is nothing wrong with bias, per se, if you are aware that it > exists. :-) > >> I need to build a DMZ server, of sorts, that will sit on the public >> internet. It will take in data from embeded devices and in turn >> services from behind a firewall will pull data from it to later >> process. The main processes that i need to run are ftpd,httpd, >> possibly smtpd(sasl2,tls), and later proprietary code that talks to >> the embeded devices. > > > A "DMZ server" implies you are setting up a "screened public subnet" > along with a backend LAN subnet. If you are setting up a firewall with > three interfaces, OK, but you should avoid running any services on that > box except for IPFW/dummynet/PF/ALTQ/whatever. > > If you are setting up a box that has two interfaces, one with a public > IP and one doing NAT to a private LAN subnet, that is still a firewall, > but you don't have a DMZ. understood, thats the reason for the 'of sorts'. > > If need be, you can run proxy services on that box, but it still would > be better from the standpoint of security to run them on an internal box > via NAT forwarding of whatever ports are needed. > >> Originally i was thinking of using OpenBSD, as it seems to lend itself >> very nicely to the public but secure environment. On the other hand, >> if i were to use FreeBSD, i could jail each process, granted i could >> also chroot each process in OpenBSD and httpd is already done for me. >> >> I will be running a firewall on the box either way and will also have >> sshd and rsyncd running, only allowing access from the internal network. > > > OK. > >> I have move expierence with freebsd, but my limited knowlegdge based >> on an install and configuration of openbsd3.7 has made me comfortable >> with it as well. >> >> Any opinions on which OS is better suited for the task? Security and >> reliablity are the foremost concers( aren't they everyones ) and i >> think both OS are more then up to the task. > > > Both OSes are up to the task. If you are going to just set up a > firewall, using OpenBSD would be an easy choice. > > However, it sounds like you plan to install at least your custom > software, a web server, and several other 3rd-party pieces: FreeBSD > ports makes doing that and keeping it up-to-date securely very easy via > portaudit & portupgrade. > > Many people seem to value things like "cost" and "performance", or even > "convenience", more highly then they value "security" or "reliability". > Don't take this for a suggestion to change what you are doing, however. > :-) true. Cost is just my time, and i feel performance between the two is negligible( Dell 750 Pentium 4 3GHz, 1G Ram 2 73G Drives RAID 1 ). I'd spend extra time/money, within reason, for security and reliability...how's it go? pay me now, or pay me later....heh. I appreciate the input. I'm now leaning going back inside the firwall with this, with freebsd, using jails for httpd/ftpd and allowing the current external firewall to continue its work using NAT and if i need the DMZ, set up an actual one, not just a public cache server, as i had explained here. again, thanks jd >