Setting up a router in front of my server

Derek Martin invalid at pizzashack.org
Sat Apr 2 11:36:45 EST 2005


On Sat, Apr 02, 2005 at 01:40:01AM -0500, David Kramer wrote:
> I'm reading up on the whole DMZ concept, and it seems like a
> straight pass-through, so what does that buy you over hooking up the
> machine straight to the DSL modem?  It means I don't have to
> configure individual ports to go to my server, but it adds no
> protection to my server either.

The DMZ concept is simple, really.  It is a separate network which can
access and be accessed by the Internet, and it can be accessed by your
internal network, but it can not directly access the internal network
(it can respond to requests, but not initiate them).  The purpose of
this is so that if your DMZ hosts are compromised, they can't easily
be used to gain access to your internal network.  Naturally, the
firewall should be configured such that NO access from the Internet to
your internal network is permitted...  Originally, IIRC, DMZs were
constructed with their own separate firewall from the one which
protected the internal network...  But these days most sites find it a
lot more economical to use a single, triple-homed firewall for
connecting the three networks.

That said, I have only ever used commercial grade firewalls like the
Cisco PIXX, or Linux boxes, to implement my firewalls (and DMZs), so I
don't have any experience using these home appliance gadgets, nor any
knowledge of how they implement their DMZs.  I've heard that the DMZ
implemented in SOME such devices is sub par, but I can't speak to that
in any useful way.  I'd use a Linux box for this, personally.  [Or
possibly, since I've been looking for an excuse to learn the various
*BSDs, I might go that route next time I need to build a DMZ.]

> I can probably ditch rsync, 

And you probably should.  rsync can be run over ssh, and that's the
safest way to do it, unless you need to provide anonymous rsync access
for some reason...

> I also forget how AIM/Yahoo/MSN messengers are working without holes
> for their protocols.  Do they go over port 80?

MSN can, and I believe yahoo can, but I don't use AIM so I'm not sure.
Some protocols may or may not loose some functionality when using the
HTTP method to connect...

> I assume I should continue to run SuseFirewall on my server even if it's 
> protected by the router, right?  

Sure, it provides extra protection in case someone uses the
non-disableable backdoor password in your appliance to open up all
your ports... ;-) [I'm not suggesting I know that yours has one, but
there have been many network devices built which had such things...]
In the event that your appliance is compromised in some way, the
host-based firewall on the server will provide extra protection.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20050402/23469695/attachment.sig>


More information about the Discuss mailing list