Alex Daniloff wrote:
Hello SuSE folkz, Is this a good idea to put Firewall, NFS, Database and Web services on one Linux box or they should be separated?
Firewall: ALWAYS separate. Can be an old pentium with 200 MHz and 16 MB of RAM (still overpowered)!
The Web server part is MySQL database driven interface through persistent fcgi scripts. MySQL Database server should be able to operate in a long run with up to 60GB of critical data. The Firewall should keep in stealth mode all unnessesary ports and provide masquerading and routing for a small internal network. The NFS server should export publicly shared data directory to the internal network.
Recommended setup for someone who's servers to put on the internet: TWO firewalls. Between the outside one and the inside one you have a small network called "DMZ" (demilitarized zone) where you place your internet servers. Do NOT enable remote accessability options on the firewall(s), use a serial console instead: so the console server is on the internal network, with serial cables to all hosts on the DMZ and the firewalls, so you can access those machines safely from the inside over the network without creating any traffic anyone might observe and without having to open any login services on the net on those servers.
I proposed this configuration: A separate Linux box provides firewall/masquerading/routing services. The second Linux box serves as a NFS, Database and Web server to generate less network traffic during database queries.
One co-worker proposed less costly alternative to put everything on one box.
The two firewalls for a DMZ are VERY cheap (or free), use any computer veryone else would throw out as garbage. Well, not too old, see above for a safe minimum. Routers/firewalls that don't do active filtering (looking at the actual content of the traffic) are incredibly bored and have almost nothing to do even on a fast internet connection...
Another one expressed his opinion in separating all services between four Linux boxes.
Separate by this category: Whom is it for? External or internal? External services go into the DMZ, internal ones are - internal. Accessing internal services from an external server, e.g. a database, is yet another (complicated) topic.
Since we are on a tight budget we can't create dedicated data center for our tasks. Could somebody enlighten me what are advantages and drawbacks of both these methods. What is a cheapest variant in this situation.