From owner-freebsd-security Mon Nov 26 10:20:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id 8DE6A37B417 for ; Mon, 26 Nov 2001 10:20:29 -0800 (PST) Received: from user-38lc2nf.dialup.mindspring.com ([209.86.10.239] helo=gohan.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168QMk-0002Py-00; Mon, 26 Nov 2001 10:20:28 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAQ89fU00343; Mon, 26 Nov 2001 00:09:41 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 00:09:41 -0800 From: "Crist J. Clark" To: MikeM Cc: G Brehm , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126000941.C222@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111242124560932.023F3386@home.24cl.com>; from MyRaQ@mgm51.com on Sat, Nov 24, 2001 at 09:24:56PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Nov 24, 2001 at 09:24:56PM -0500, MikeM wrote: [snip] > I'm not sure I agree with your comments. Yes, your architecture is more akin to the origin of the term "DMZ", but is that the real functionality that we want to provide? Should we be more concerned with staying within the strict definition of the military term "DMZ" or should our firewalls provide the needed function? The needed function is maintaining defense from the hostile network. A layered approach is a good way to do this. > In my "DMX", the server only sees port 80 traffic. *only port 80* I cannot possibly provide that functionality with your strict interpretation of a DMZ firewall. Given the options of tossing aside your strict definition of DMZ of re-architecturing my firewall, I think I'd vote for tossing aside your definition. Why can it not only see such traffic? On the external firewall (and from the internal network to the server too if you'd like), you only pass port 80 to and from the server. No other traffic is allowed to the server. I don't understand why you claim I cannot do this. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message