About this list Date view Thread view Subject view Author view Attachment view

From: Arne Blankerts (blankerts_at_salesemotion.de)
Date: Wed 08 Sep 2004 - 13:13:16 BST


On Wed, 2004-09-08 at 13:37, Brian wrote:
> I like to restrict the database server. no NAT.
> yes, it's the same interface but no one can go from the internet to the
> database. The Database vserver are only in private network with eg.
> 10.10.10.1... only local vserver can access the DB Server. other point ist
> I have only 4 public IP Addresses.
> not good ? :-)

Some general rules to apply:
1. No services on firewall
2. a firewall is supposed to be a physically separated box

Having all the IPs bound to the same physical interface on the same
physical box renders any firewall functionality gained by a DMZ setup
useless.

As Herbert already put it, you can use the dummy0-interface for the
vservers and snat/dnat the ports you want to have access to from the
outside or add a 2nd physical interface to the box:

 eth0: internet
 eth1: lan
 
 eth1:xxx - vserver

There is NO way of in avoiding nat, talking about security and having
all services bound to the same physical ip.

Beeing limited in real ips is not a big problem since dnat/snat can
pretty much help around that.

>
> thanx, Brian
>
>
>
> ----- Original Message -----
> From: "Herbert Poetzl" <herbert_at_13thfloor.at>
> To: "Brian" <brian_ffm_at_hotmail.com>
> Cc: <vserver_at_list.linux-vserver.org>
> Sent: Wednesday, September 08, 2004 10:38 AM
> Subject: Re: [Vserver] DMZ with vserver
>
>
> > On Tue, Sep 07, 2004 at 10:56:36PM +0200, Brian wrote:
> > > is ist possible ore advisable to install vserver with a DMZ ?
> > >
> > > HOST
> > > eth0 = Internet
> > > eth0:0 = privat network
> > >
> > > Vserver1 for Webserver
> > >
> > > eth0 = Internet
> > > eth0:0 = privat network
> > >
> > > Vserver2 for Mail
> > >
> > > eth0 = Internet
> > > eth0:0 = privat network
> > >
> > > Vserver3 for mysql
> > >
> > > eth0 = privat network
> >
> > hmm, well, as I see it, all packets will
> > be sent over the _same_ interface and all
> > servers will have access to both networks
> > (maybe even on the same ip ?) so I do not
> > see much security in that ...
> >
> > maybe assigning just one private network
> > address to each vserver, and using S/DNAT
> > to map specific ports from/to the outside
> >

Mit freundlichen Grüßen/Regards,
    Arne Blankerts

-- 
SalesEmotion GmbH

Arne Blankerts Head of Development

Afrikahaus :: Große Reichenstraße 27 :: 20457 Hamburg Tel. +49 40 20 000 2-0 :: Fax +49 40 20 000 2-22 blankerts_at_salesemotion.de :: www.salesemotion.de

_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 08 Sep 2004 - 13:13:41 BST by hypermail 2.1.3