Re: [opensuse] Public IP Webserver behind SuSEfirewall2 & FW_MASQUERADE
On Sunday 19 April 2009 17:56:53 LLLActive@GMX.Net wrote:
I take it I can direct the requests to the DynDNS firewall port 80 to the webserver in the DMZ on port 81 with
Well, yes, but then you won't be able to access the web server running directly on the firewall
0/0,192.168.176.10,tcp,80,81
This can also be done with the webserver in the DMZ wanting the data (through its own gateway) over the internal network firewall (asking at port 1927) to be directed to the private IP 192.168.0.10 on port 1972?
Yes, but be careful with that. You don't want to punch holes into your internal network just any which way. It defeats the purpose of having a DMZ Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 19 April 2009 17:56:53 LLLActive@GMX.Net wrote:
I take it I can direct the requests to the DynDNS firewall port 80 to the webserver in the DMZ on port 81 with
Well, yes, but then you won't be able to access the web server running directly on the firewall
0/0,192.168.176.10,tcp,80,81
This can also be done with the webserver in the DMZ wanting the data (through its own gateway) over the internal network firewall (asking at port 1927) to be directed to the private IP 192.168.0.10 on port 1972?
Yes, but be careful with that. You don't want to punch holes into your internal network just any which way. It defeats the purpose of having a DMZ
Anders
Yes, I thought of that. Maybe using separate NIC's between the two machines in a separate private network all by themselves will do. If the webserver is compromised, the all is also comprimized. Just how does one get such a setup secure, without putting your data in the DMZ? Internet -- firewall 1 -- DMZ with Webserver -- firewall 2 -- Database server :-) Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 19 April 2009 18:08:10 LLLActive@GMX.Net wrote:
Yes, I thought of that. Maybe using separate NIC's between the two machines in a separate private network all by themselves will do. If the webserver is compromised, the all is also comprimized.
Just how does one get such a setup secure, without putting your data in the DMZ?
Internet -- firewall 1 -- DMZ with Webserver -- firewall 2 -- Database server
Normally you do put the data in the DMZ. Enough for your web needs, at least. Your main database can then be on the internal network, and your DMZ then has a data pump to feed it, in some fashion. Ideally this would be a "push only" connection, with no inbound connections allowed at all, so that the internal server synced with the external machine regularly through some data transfer protocol. For optimal security, there would be no connection to the internal network allowed at all, in either direction. The data would then be synced manually, perhaps by copying it on a USB device. It all depends on how much effort you want to go to, how much your security is worth. Very high security requires effort. Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Anders Johansson -
LLLActive@GMX.Net