It all comes down to how much spare equipment you have. It's always safer to have the services running on a DMZ network. That way you're not opening up your firewall to the various attacks associated with the various Net services. If you've got two routers and a spare machine to provide the bastion-host then you're set. If not, then you do the best you can.
Ask yourself, "what is my security requirement and how much can I spend on installing my defenses?".
I personally would not choose to run my mail and website on the same machine as I'm using for a firewall.
At 08:24 PM 5/22/2001 +0200, T. Schlenkhoff wrote:
Hi there, I am running a small subnet (/248) and have my mail and my www set to one ip-adress at the moment. I wonder if it is safer to have my firewall to port-forward http, https, pop and smtp to a dmz or if it is better to get two different ip-adresses and alias them on one machine (my firewall)? Any considerations / thoughts are welcome. Thanks for your input, tom -- To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-- Eric N. Valor Webmeister/Inetservices Lutris Technologies eric.valor@lutris.com - This Space Intentionally Left Blank -