Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: Theo van Werkhoven <t.v.werkhoven@xxxxxxxxx>
- Date: Fri, 17 Apr 2009 16:18:03 +0200
LLLActive@xxxxxxx wrote:
Theo van Werkhoven wrote:[..]LLLActive@xxxxxxx wrote:Hi all,
At the moment I have an Intranet web server with Apache2 (WS). The web
server provides the web pages for an erp system. The data of the erp
system lies on a DRBD cluster server (CS), with a NFS4 export of the
directory of the database. The web server has the NFS4 mounted as a
directory.
CS (NFS4 export /Data) --> WS (NFS4 mount /Data)
I now want to present the web server to external access via DMZ, but
keep the Data base server (CS) in the Internal Network.
[..]FW1 --> DMZ (Apache WebServer) --> FW2 --> Intranet (DRBD NFS4 /Data)
For the medium term, I need a solution with the NFS4 share being as safe
as possible.
I have read of a 3 NIC SuSEfirewall2 setup, where the one card is
declared EXT, another DMZ, and the third INT. The DMZ NIC is on a switch
to the WS, and the Internal NIC on a switch to the Internal Network
where the CFS with the data lives.
I believe to have read that in such a case, for SuSEfirewall2, linking
between the DMZ and Internal Network is easily opened for DMZ machines
that need access, e.g. the NFS4 Share. Is the NFS4 Share then not open
to the DMZ in general?. How do I protect the NFS4 Share from EXT? Could
it be configured to be only open to the WS (MAC?) on the DMZ-NIC and no
one else in the DMZ or EXT at all, or am I on a wrong track?
It can. The wrapper (SuSEfw2 in this case) is configured to deny or drop all
traffic by default, but has "holes" poked in to let only the traffic through
that *you* want.
You can enable access to the DMZ per Internet host if you want (for SSH access
e.g.), but normally you enable e.g. HTTP to the DMZ for, and make a blacklist
for really obnoxious network ranges.
How is this set up in YaST of SuSEfirewall2?
Sorry, with that I can not help you, as I have moved to the Shoreline Firewall
a long time ago.
"Shorewall" is using the same Linux netfilter base, but has IMHO a much cleaner
interface to the user, with very nice logging and monitoring capabilities and
a very easy to use set of config files, in case you need to do things beyond the
most basic of set-ups.
Have a look and compare:
http://www.shorewall.de/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.2/shorewall-4.2.8/
You need the latest shorewall-common and shorewall-perl RPMs, which install effortless
in openSUSE.
- Note: SuSEfw2 needs to be disabled, otherwise the two wrappers will bite each other.
- Read the documentation, e.g. http://www.shorewall.net/GettingStarted.html and
specifically http://www.shorewall.net/three-interface.htm
Cheers,
Theo
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
- References:
- [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: LLLActive@xxxxxxx
- Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: Theo van Werkhoven
- Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- From: LLLActive@xxxxxxx
- [opensuse] Web Server in DMZ accessing Database in Internal Network
- Prev by Date: [opensuse] voice/speech recognition software recommendations
- Next by Date: [opensuse] Kmail attachment file name problem [Was: The oddest thing with OpenOffice and one SuSE11.0]
- Previous by thread: Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
- Next by thread: [opensuse] [openFATE] Version 1.2.2 Released
- Index(es):
Relevant Pages
|
