LLLActive@GMX.Net wrote:
Hi all,
At the moment I have an Intranet web server with Apache2 (WS). The web server provides the web pages for an erp system. The data of the erp system lies on a DRBD cluster server (CS), with a NFS4 export of the directory of the database. The web server has the NFS4 mounted as a directory.
CS (NFS4 export /Data) --> WS (NFS4 mount /Data)
I now want to present the web server to external access via DMZ, but keep the Data base server (CS) in the Internal Network.
Can a DMZ with 2 SuSEfirewall2 firewalls (FW1 & FW2) be safely configured for the WS in the DMZ that has the NFS 4 mount for the Data Base that lies in the Internal Network on the file server, where only the WS is allowed to cross the Internal FW2 for Data on the CS?
Of course it can, and you do not need two firewalls for that either, the netfilter package (for which e.g. SuSEfirewall2 is only a wrapper) can easily filter traffic between probably a dozen network interfaces. Come to think: of it: you can not even run two "firewalls" simultaneously in the Linux kernel, you can run more that one SuSEfirewall2 wrappers, but that would be silly.
FW1 --> DMZ (Apache WebServer) --> FW2 --> Intranet (DRBD NFS4 /Data)
Is there another way such Data Base data is provided to web servers in the DMZ than with NFS?
A network socket comes to mind, like e.g. MySQL uses TCP port 3306 between client and server. Much safer (no RPC running anymore) and easier to filter. Theo -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org