RE: Firewall Related Question

To: James <james@james-web.net>
Cc: Alson van der Meulen <alson@flutnet.org>, Debian Security List <debian-security@lists.debian.org>
Subject: RE: Firewall Related Question
From: tony mancill <tony@mancill.com>
Date: Mon, 22 Oct 2001 10:17:59 -0700 (MST)
Message-id: <Pine.LNX.4.21.0110221013160.18822-100000@bach>
In-reply-to: <ELEOIKGLMMAALONNNHCDAECGCMAA.james@james-web.net>

I'd recommend the former (firewalling on each server).  This will let you
customize the firewall for that server alone, and spread the packet
filtering load and logging.  Also, with no access the Cisco box, you'd
have to either MASQ or SNAT with proxy arps if you do insert a firewall
into the packet path to get the traffic to cross the firewall.  (The Cisco
is going to assume that the subnet with the DMZ address space is still
directly attached.)

Cheers,
tony@mancill.com

On Mon, 22 Oct 2001, James wrote:

> Yes, you could definitely do a firewall on each server.
> 
> Also, have you considered setting up a 4th machine between the Cisco and 3
> servers?  That could work also.  You wouldn't make it a masq box, just
> configure it to pass packets based on the rules.
> 
> - James
> 
> -----Original Message-----
> From: Alson van der Meulen [mailto:alson@flutnet.org]
> Sent: Monday, October 22, 2001 6:58 AM
> To: Debian Security List
> Subject: Re: Firewall Related Question
> 
> 
> On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote:
> > I've got some simple questions related to using a Firewall on
> > some single pubblic Debian Boxes, I choose to post my questions
> > here because I've always securitty in mind during the Developing
> > time of my Network Services.
> >
> > Let me asume I've got a simple Network with 3 Pubblic Debian
> > Servers and 1 Cisco Router (Internet Gateway).
> >
> > The router belongs to my Connection ISP so I can't configure it,
> > but onlu use it for Internet connectivity.
> >
> > The 3 Debian Boxes are under my full control.
> >
> > The best way to protect my Debian Servers would be to install
> > a Firewall on my Gateway (Cisco Router) but actually I can't,
> > so my question is: Can I install a Firewall on each of my Debian
> > Boxes to filter/block incoming and outgoing Network Traffic ?
> >
> > Is this a good choice ? or should I put another machine in my
> > Network, between the Gateway and the Servers, which acts as Firewall ?
> You can just configure a packet filter on all your servers, the main
> disadvantage is that it's more difficult to administer

Reply to:

Follow-Ups:
- Re: Firewall Related Question
  - From: Alson van der Meulen <alson@flutnet.org>

References:
- RE: Firewall Related Question
  - From: "James" <james@james-web.net>

Prev by Date: Does Debian need to enforce a better Security policy for packages?
Next by Date: Re: Port Scan for UDP
Previous by thread: RE: Firewall Related Question
Next by thread: Re: Firewall Related Question
Index(es):
- Date
- Thread