[opensuse] Web Server in DMZ accessing Database in Internal Network
Hi all, At the moment I have an Intranet web server with Apache2 (WS). The web server provides the web pages for an erp system. The data of the erp system lies on a DRBD cluster server (CS), with a NFS4 export of the directory of the database. The web server has the NFS4 mounted as a directory. CS (NFS4 export /Data) --> WS (NFS4 mount /Data) I now want to present the web server to external access via DMZ, but keep the Data base server (CS) in the Internal Network. Can a DMZ with 2 SuSEfirewall2 firewalls (FW1 & FW2) be safely configured for the WS in the DMZ that has the NFS 4 mount for the Data Base that lies in the Internal Network on the file server, where only the WS is allowed to cross the Internal FW2 for Data on the CS? FW1 --> DMZ (Apache WebServer) --> FW2 --> Intranet (DRBD NFS4 /Data) Is there another way such Data Base data is provided to web servers in the DMZ than with NFS? TIA for any suggestions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
LLLActive@GMX.Net wrote:
Hi all,
At the moment I have an Intranet web server with Apache2 (WS). The web server provides the web pages for an erp system. The data of the erp system lies on a DRBD cluster server (CS), with a NFS4 export of the directory of the database. The web server has the NFS4 mounted as a directory.
CS (NFS4 export /Data) --> WS (NFS4 mount /Data)
I now want to present the web server to external access via DMZ, but keep the Data base server (CS) in the Internal Network.
Can a DMZ with 2 SuSEfirewall2 firewalls (FW1 & FW2) be safely configured for the WS in the DMZ that has the NFS 4 mount for the Data Base that lies in the Internal Network on the file server, where only the WS is allowed to cross the Internal FW2 for Data on the CS?
Of course it can, and you do not need two firewalls for that either, the netfilter package (for which e.g. SuSEfirewall2 is only a wrapper) can easily filter traffic between probably a dozen network interfaces. Come to think: of it: you can not even run two "firewalls" simultaneously in the Linux kernel, you can run more that one SuSEfirewall2 wrappers, but that would be silly.
FW1 --> DMZ (Apache WebServer) --> FW2 --> Intranet (DRBD NFS4 /Data)
Is there another way such Data Base data is provided to web servers in the DMZ than with NFS?
A network socket comes to mind, like e.g. MySQL uses TCP port 3306 between client and server. Much safer (no RPC running anymore) and easier to filter. Theo -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
LLLActive@GMX.Net wrote:
Hi all,
At the moment I have an Intranet web server with Apache2 (WS). The web server provides the web pages for an erp system. The data of the erp system lies on a DRBD cluster server (CS), with a NFS4 export of the directory of the database. The web server has the NFS4 mounted as a directory.
CS (NFS4 export /Data) --> WS (NFS4 mount /Data)
I now want to present the web server to external access via DMZ, but keep the Data base server (CS) in the Internal Network.
Can a DMZ with 2 SuSEfirewall2 firewalls (FW1 & FW2) be safely configured for the WS in the DMZ that has the NFS 4 mount for the Data Base that lies in the Internal Network on the file server, where only the WS is allowed to cross the Internal FW2 for Data on the CS?
Of course it can, and you do not need two firewalls for that either, the netfilter package (for which e.g. SuSEfirewall2 is only a wrapper) can easily filter traffic between probably a dozen network interfaces. Come to think: of it: you can not even run two "firewalls" simultaneously in the Linux kernel, I meant two separate HW boxes each with SuSEfirewall2 you can run more that one SuSEfirewall2 wrappers, but that would be silly.
FW1 --> DMZ (Apache WebServer) --> FW2 --> Intranet (DRBD NFS4 /Data)
Is there another way such Data Base data is provided to web servers in the DMZ than with NFS?
A network socket comes to mind, like e.g. MySQL uses TCP port 3306 between client and server. Much safer (no RPC running anymore) and easier to filter.
Theo I know of the socket connection between a SAP-App-Server and SQL-DB-Server from SAP I installed about 5 years ago. The present Setup does not separate the machines in that way, but I will look into such a
Hi Theo, THX for the reply, --> below Theo van Werkhoven wrote: possibility with this erp. For the medium term, I need a solution with the NFS4 share being as safe as possible. I have read of a 3 NIC SuSEfirewall2 setup, where the one card is declared EXT, another DMZ, and the third INT. The DMZ NIC is on a switch to the WS, and the Internal NIC on a switch to the Internal Network where the CFS with the data lives. I believe to have read that in such a case, for SuSEfirewall2, linking between the DMZ and Internal Network is easily opened for DMZ machines that need access, e.g. the NFS4 Share. Is the NFS4 Share then not open to the DMZ in general?. How do I protect the NFS4 Share from EXT? Could it be configured to be only open to the WS (MAC?) on the DMZ-NIC and no one else in the DMZ or EXT at all, or am I on a wrong track? How is this set up in YaST of SuSEfirewall2? TIA - Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
LLLActive@GMX.Net wrote:
Theo van Werkhoven wrote:
LLLActive@GMX.Net wrote:
Hi all,
At the moment I have an Intranet web server with Apache2 (WS). The web server provides the web pages for an erp system. The data of the erp system lies on a DRBD cluster server (CS), with a NFS4 export of the directory of the database. The web server has the NFS4 mounted as a directory.
CS (NFS4 export /Data) --> WS (NFS4 mount /Data)
I now want to present the web server to external access via DMZ, but keep the Data base server (CS) in the Internal Network. [..] FW1 --> DMZ (Apache WebServer) --> FW2 --> Intranet (DRBD NFS4 /Data) [..] For the medium term, I need a solution with the NFS4 share being as safe as possible.
I have read of a 3 NIC SuSEfirewall2 setup, where the one card is declared EXT, another DMZ, and the third INT. The DMZ NIC is on a switch to the WS, and the Internal NIC on a switch to the Internal Network where the CFS with the data lives.
I believe to have read that in such a case, for SuSEfirewall2, linking between the DMZ and Internal Network is easily opened for DMZ machines that need access, e.g. the NFS4 Share. Is the NFS4 Share then not open to the DMZ in general?. How do I protect the NFS4 Share from EXT? Could it be configured to be only open to the WS (MAC?) on the DMZ-NIC and no one else in the DMZ or EXT at all, or am I on a wrong track?
It can. The wrapper (SuSEfw2 in this case) is configured to deny or drop all traffic by default, but has "holes" poked in to let only the traffic through that *you* want. You can enable access to the DMZ per Internet host if you want (for SSH access e.g.), but normally you enable e.g. HTTP to the DMZ for, and make a blacklist for really obnoxious network ranges.
How is this set up in YaST of SuSEfirewall2?
Sorry, with that I can not help you, as I have moved to the Shoreline Firewall a long time ago. "Shorewall" is using the same Linux netfilter base, but has IMHO a much cleaner interface to the user, with very nice logging and monitoring capabilities and a very easy to use set of config files, in case you need to do things beyond the most basic of set-ups. Have a look and compare: http://www.shorewall.de/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.2/shorewal... You need the latest shorewall-common and shorewall-perl RPMs, which install effortless in openSUSE. - Note: SuSEfw2 needs to be disabled, otherwise the two wrappers will bite each other. - Read the documentation, e.g. http://www.shorewall.net/GettingStarted.html and specifically http://www.shorewall.net/three-interface.htm Cheers, Theo -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
LLLActive@GMX.Net
-
Theo van Werkhoven