Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: "LLLActive@xxxxxxx" <LLLActive@xxxxxxx>
- Date: Fri, 17 Apr 2009 12:21:57 +0200
Hi Theo,
THX for the reply, --> below
Theo van Werkhoven wrote:
LLLActive@xxxxxxx wrote:I meant two separate HW boxes each with SuSEfirewall2
Hi all,Of course it can, and you do not need two firewalls for that either,
At the moment I have an Intranet web server with Apache2 (WS). The web
server provides the web pages for an erp system. The data of the erp
system lies on a DRBD cluster server (CS), with a NFS4 export of the
directory of the database. The web server has the NFS4 mounted as a
directory.
CS (NFS4 export /Data) --> WS (NFS4 mount /Data)
I now want to present the web server to external access via DMZ, but
keep the Data base server (CS) in the Internal Network.
Can a DMZ with 2 SuSEfirewall2 firewalls (FW1 & FW2) be safely
configured for the WS in the DMZ that has the NFS 4 mount for the Data
Base that lies in the Internal Network on the file server, where only
the WS is allowed to cross the Internal FW2 for Data on the CS?
the netfilter package (for which e.g.
SuSEfirewall2 is only a wrapper) can easily filter traffic between
probably a dozen network interfaces.
Come to think: of it: you can not even run two "firewalls"
simultaneously in the Linux kernel,
you can runI know of the socket connection between a SAP-App-Server and
more that one SuSEfirewall2 wrappers, but that would be silly.
FW1 --> DMZ (Apache WebServer) --> FW2 --> Intranet (DRBD NFS4 /Data)A network socket comes to mind, like e.g. MySQL uses TCP port 3306
Is there another way such Data Base data is provided to web servers in
the DMZ than with NFS?
between client and server.
Much safer (no RPC running anymore) and easier to filter.
Theo
SQL-DB-Server from SAP I installed about 5 years ago. The present Setup
does not separate the machines in that way, but I will look into such a
possibility with this erp.
For the medium term, I need a solution with the NFS4 share being as safe
as possible.
I have read of a 3 NIC SuSEfirewall2 setup, where the one card is
declared EXT, another DMZ, and the third INT. The DMZ NIC is on a switch
to the WS, and the Internal NIC on a switch to the Internal Network
where the CFS with the data lives.
I believe to have read that in such a case, for SuSEfirewall2, linking
between the DMZ and Internal Network is easily opened for DMZ machines
that need access, e.g. the NFS4 Share. Is the NFS4 Share then not open
to the DMZ in general?. How do I protect the NFS4 Share from EXT? Could
it be configured to be only open to the WS (MAC?) on the DMZ-NIC and no
one else in the DMZ or EXT at all, or am I on a wrong track?
How is this set up in YaST of SuSEfirewall2?
TIA - Al
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
- Follow-Ups:
- Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: Theo van Werkhoven
- Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- References:
- [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: LLLActive@xxxxxxx
- Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: Theo van Werkhoven
- [opensuse] Web Server in DMZ accessing Database in Internal Network
- Prev by Date: [opensuse] dummy interface
- Next by Date: Re: [opensuse] Firefox & FlashPlayer 32 bit on OpenSUSE 11.1 64 Bit
- Previous by thread: Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- Next by thread: Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- Index(es):
Relevant Pages
|
