From: Sam Vilain (sam_at_vilain.net)
Date: Thu 09 Sep 2004 - 04:46:06 BST
Arne Blankerts wrote:
> Some general rules to apply:
> 1. No services on firewall
I'd rephrase that as no services running with firewall level privileges,
apart from an admin ssh, which can only be connected to from a
privileged zone.
> 2. a firewall is supposed to be a physically separated box
Why? What difference does it make to have packets have to cross a piece
of wire and enter a different network stack? It is especially
irrelevant if you put the same OS and kernel on the firewall.
As vserver becomes more and more complete and audited, the attitude will
be more and more of a superstition. Perhaps for now there is still the
danger of an insecure kernel entry point.
> As Herbert already put it, you can use the dummy0-interface for the
> vservers and snat/dnat the ports you want to have access to from the
> outside or add a 2nd physical interface to the box:
> There is NO way of in avoiding nat, talking about security and having
> all services bound to the same physical ip.
While it can be useful, you don't need snat/dnat for this setup. All
you need is port filtering! Once you're on a vserver on the box, you
don't need to do anything special to connect to the private addresses.
ie,
|
+---+----------------------------+
| | |
| +-------+ +------+ +-----+ |
| | dmz1 | | app1 | | db1 | |
| | dmz2 |<->| app2 |<->| db2 | |
| | dmz3 | | app3 | | db3 | |
| +-------+ +------+ +-----+ |
| net1 net2 net3 |
+--------------------------------+
net1 is on eth0:, the external interface. net2 and net3 can be on any
address range whatsoever, and you don't need NAT.
In fact, I have found that there is usually little point in trying to
use discrete "networks" for each zone; simply use a default deny rule
between all hosts, then specifically connect individual hosts and ports.
The only time you need snat/dnat, is if you want your "dmz" vservers to
have non-routable addresses.
-- Sam Vilain, sam /\T vilain |><>T net, PGP key ID: 0x05B52F13 (include my PGP key ID in personal replies to avoid spam filtering) _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver