From: Gilles (gilles_at_harfang.homelinux.org)
Date: Thu 23 Sep 2004 - 00:44:18 BST
> >
> > [ (nic2) ] <----> [ (nic3) H2 ]
> > Internet <----> [ (nic1) H1 ]
> > [ (nic4) ] <----> [ (nic5) H3 ]
> > [ (nic6) H4 ] etc.
> >
>
> Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> H3,H4,H5 ...
>
> with a border firewall on H1 and a simple firewall
> and proxy solution on H2, a single vserver on H1
> with CAP_NET_ADMIN and vservers for each service
> on H2. why? because!
>
(1)
What's the difference between "border" and "simple" firewall?
(2)
Can you give some more hints on how H1 should be configured?
In the first place, why having a vserver on H1?
Isn't it sufficient to have a firewall on H1 (the host)?
If not, how do the host and vserver share responsibilities (pppd,
firewall,...)?
(3)
Why having 2 firewalls? It makes it necessary to maintain 2 configs.
2 layers of protection seem more secure than 1, but if we assume that
H1 can be cracked, then if H1 and H2 run the same firewall software,
H2 will be compromised with the same exploit...
Gilles
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver