Date: Fri, 11 Oct 2002 15:02:58 -0500 From: "DaleCo, S.P.---'the solutions people'" <daleco@daleco.biz> To: "James Earl" <jamesearl@telus.net>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Stand-alone or combo web server/gateway Message-ID: <009001c27161$33ec8460$11ec910c@DaleCoportable> References: <20021011102343.48f93bd1.jamesearl@telus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This might be a theme seen on freebsd-security. The "layered onion" approach is preached as classic and important, i.e., they have to get root on the gateway first, and then they still shouldn't have the ability to break into the webserver, at least not yet, although they'd have a good platform. There'd be a lot of quid pro quos, though --- no similar passwords, no rhosts, etc., etc., etc. I think your setup sounds OK. An added advantage might be this: pass all port 80 traffic to the webserver, but keep apache (or whatever) available on the gateway...then, if you need to go down (say, during installworld in single-user) or when you're installing the latest and most secure webserver on the www box, you could just have a basic page on the gw that says "we'll be back in a few..." and tell natd to keep the #80 packets right there for the time being. I might save up some pennies (heh!) for another RAM chip or two, though, if you figure to get lots of traffic (probably you don't, on DSL, but who knowz?) Cheers, Kevin Kinsey DaleCo, S.P. ----- Original Message ----- From: "James Earl" <jamesearl@telus.net> To: <freebsd-questions@FreeBSD.ORG> Sent: Friday, October 11, 2002 11:23 AM Subject: Stand-alone or combo web server/gateway > I recently setup two FreeBSD machines. One a dual-homed gateway running natd and ipfw of course, the other a web server running apache2. > > The dual-homed gateway is hooked up to an ADSL Internet connection, and the web server sits behind the gateway machine, and has all port 80 traffic forwarded to it through natd. > > Both machines are Pentium II's 350/400-MHz with 64MB RAM. > > Now that it's all together, I'm questioning this setup. I realize now, I could have used just one machine to do everything, especially considering my Internet connection. > > I'm guessing the latency added by having the web server behind the gateway is insignificant, and of no significance to anyone pulling data from the web server down the 640Kbps pipeline! -- correct? > > Is there any major security, or other advantages to Keeping these machines separate? > > The one thing I thought of was that if the web server was down, the two other computers (Yup, only two!) that access the Internet through the gateway machine, can still get on the Internet! > > Any suggestions? Was this setup overkill (at least I didn't go for a GB backbone with an ADSL connection :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009001c27161$33ec8460$11ec910c>