security issues aside, i think this is a bad idea because you have one point of failure for all your services. if the hardware goes out, nothing works (web, db, mail or firewall). i know lots of places that run like this, even know a consultant that recommends this setup and in theory it works but i wouldnt recommend it seeing as how hardware is so cheap nowdays. On Wednesday 01 May 2002 12:40 pm, Alex Daniloff wrote:

Hello SuSE folkz, I apologize for a such stupid question, but my dept. manager didn't approve additional spendings for firewall hardware even el-cheapo pentium PC. He insists to run firewall on the same box with Web, DB, NFS and Mail servers to cut our department costs. So,I need to show him justification why it's dangerouse practice. His position on this issue is that using iptables you can separate Internet NIC from Intranet NIC, setup NAT and masquerading and put all unnessesary ports on Internet interface in stealth mode. All nessesary services for internal network will be provided on the Intranet NIC separately from Internet NIC. If a hacker breaks through the firewall into DMZ (Web, DB, Mail) server will become volnureable in any way. So he doesn't see a point to separate firewall from other servers.

Could somebody please provide an explanation about this issue or point to the source of information, so I can show it to my staborn manager. Thank you very much in advance.

Alex

-- Chad Whitten Network/Systems Administrator neXband Communications cwhitten@nexband.com