From: Matt Nuzum (matt.followers_at_gmail.com)
Date: Thu 23 Sep 2004 - 02:28:07 BST
On Thu, 23 Sep 2004 01:44:18 +0200, Gilles <gilles_at_harfang.homelinux.org> wrote:
> > >
> > > [ (nic2) ] <----> [ (nic3) H2 ]
> > > Internet <----> [ (nic1) H1 ]
> > > [ (nic4) ] <----> [ (nic5) H3 ]
> > > [ (nic6) H4 ] etc.
> > >
> > Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> H3,H4,H5 ...
> > with a border firewall on H1 and a simple firewall
> > and proxy solution on H2, a single vserver on H1
> > with CAP_NET_ADMIN and vservers for each service
> > on H2. why? because!
> Why having 2 firewalls? It makes it necessary to maintain 2 configs.
> 2 layers of protection seem more secure than 1, but if we assume that
> H1 can be cracked, then if H1 and H2 run the same firewall software,
> H2 will be compromised with the same exploit...
You probably don't comprise a server by finding a flaw in the
firewall, you do it by finding a flaw in one of the sevices it runs
and exploit that. Sendmail, nfs or whatever.
By having a dedicated firewall that does nothing but firewall, i.e.
running no other services, you cut off the ability for someone to hack
You run the second firewall on the box to keep people from poking
where they shouldn't. For example, maybe a new blaster-xp worm comes
into your office via an e-mail attachment and starts hammering every
computer it can find. The firewall on H2 will offer protection.
There are a number of good reasons to put up firewalls on every
computer in the office, so having one on your root vserver makes sense
-- Matthew Nuzum | Makers of "Elite Content Management System" www.followers.net | View samples of Elite CMS in action matt_at_followers.net | http://www.followers.net/portfolio/ _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver