Re: dmz server setup - opinions
From: Jeff (jeff.dyke_at_gmail.com)
Date: 08/01/05
- Previous message: Kun Niu: "Question about gcc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 31 Jul 2005 21:56:09 -0400 To: Chuck Swiger <cswiger@mac.com>
Chuck Swiger wrote:
> Jeff wrote:
>
>> I realize this may be partial religion and then potentially bias due
>> to the list but here goes anyway.
>
>
> There is nothing wrong with bias, per se, if you are aware that it
> exists. :-)
>
>> I need to build a DMZ server, of sorts, that will sit on the public
>> internet. It will take in data from embeded devices and in turn
>> services from behind a firewall will pull data from it to later
>> process. The main processes that i need to run are ftpd,httpd,
>> possibly smtpd(sasl2,tls), and later proprietary code that talks to
>> the embeded devices.
>
>
> A "DMZ server" implies you are setting up a "screened public subnet"
> along with a backend LAN subnet. If you are setting up a firewall with
> three interfaces, OK, but you should avoid running any services on that
> box except for IPFW/dummynet/PF/ALTQ/whatever.
>
> If you are setting up a box that has two interfaces, one with a public
> IP and one doing NAT to a private LAN subnet, that is still a firewall,
> but you don't have a DMZ.
understood, thats the reason for the 'of sorts'.
>
> If need be, you can run proxy services on that box, but it still would
> be better from the standpoint of security to run them on an internal box
> via NAT forwarding of whatever ports are needed.
>
>> Originally i was thinking of using OpenBSD, as it seems to lend itself
>> very nicely to the public but secure environment. On the other hand,
>> if i were to use FreeBSD, i could jail each process, granted i could
>> also chroot each process in OpenBSD and httpd is already done for me.
>>
>> I will be running a firewall on the box either way and will also have
>> sshd and rsyncd running, only allowing access from the internal network.
>
>
> OK.
>
>> I have move expierence with freebsd, but my limited knowlegdge based
>> on an install and configuration of openbsd3.7 has made me comfortable
>> with it as well.
>>
>> Any opinions on which OS is better suited for the task? Security and
>> reliablity are the foremost concers( aren't they everyones ) and i
>> think both OS are more then up to the task.
>
>
> Both OSes are up to the task. If you are going to just set up a
> firewall, using OpenBSD would be an easy choice.
>
> However, it sounds like you plan to install at least your custom
> software, a web server, and several other 3rd-party pieces: FreeBSD
> ports makes doing that and keeping it up-to-date securely very easy via
> portaudit & portupgrade.
>
> Many people seem to value things like "cost" and "performance", or even
> "convenience", more highly then they value "security" or "reliability".
> Don't take this for a suggestion to change what you are doing, however.
> :-)
true. Cost is just my time, and i feel performance between the two is
negligible( Dell 750 Pentium 4 3GHz, 1G Ram 2 73G Drives RAID 1 ). I'd spend
extra time/money, within reason, for security and reliability...how's it go?
pay me now, or pay me later....heh.
I appreciate the input. I'm now leaning going back inside the firwall with
this, with freebsd, using jails for httpd/ftpd and allowing the current external
firewall to continue its work using NAT and if i need the DMZ, set up an actual
one, not just a public cache server, as i had explained here.
again, thanks
jd
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Kun Niu: "Question about gcc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
