From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Tue 21 Sep 2004 - 11:01:15 BST
On Mon, Sep 20, 2004 at 11:44:26PM +0200, Gilles wrote:
> To what should "IPROOT" be set to be able to set up the equivalent
> of the following, in a (single) vserver:
> serverApp1 listens to the "external" interface (e.g 192.168.12.10)
> serverApp2 listens to the "localhost" interface (127.0.0.1)
> The purpose is for "serverApp1" to serve as a proxy to "serverApp2"
> which shouldn't be reachable from the "outside".
'localhost' i.e. 127.0.0.1 is automagically rewritten
to the 'primary' assinged ip, which will probably cause
some issues if you rely on 127.0.0.1
> Or should I preferrably set up 2 different vservers, one for each
> serverApp<x> ?
if possible, that would be a better choice, IMHO
> Is it possible to set up the equivalent of a LAN with a DMZ and
> a "secure" part, all within a single physical machine (with a
> single network adapter)?
yes, it is possible, but it does only make limited
sense if you are concerned about security ...
> Is it explained somewhere, or, if it doesn't make sense, please
> let me know why.
normally you setup a DMZ to create an environment
which allows to be less restrictive but still 'safe'
and exactly this isn't possible if you share the
same network card and/or the same host ...
sorted by increasing security IMHO:
- single host, firewall, services, enduser, 1nic
- single host, firewall, vservers (services), 1nic
- single host, firewall, vservers (services, enduser), 2nic
- separate firewall, 2nic (services), 2nd-host enduser
- separate firewall, 2nic, 2nd-host (services), enduser
- separate firewall, 2nic, 2nd-host vservers (services), enduser
> Thanks and best regards,
> Vserver mailing list
Vserver mailing list