[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Firewall Related Question

I'd recommend the former (firewalling on each server).  This will let you
customize the firewall for that server alone, and spread the packet
filtering load and logging.  Also, with no access the Cisco box, you'd
have to either MASQ or SNAT with proxy arps if you do insert a firewall
into the packet path to get the traffic to cross the firewall.  (The Cisco
is going to assume that the subnet with the DMZ address space is still
directly attached.)


On Mon, 22 Oct 2001, James wrote:

> Yes, you could definitely do a firewall on each server.
> Also, have you considered setting up a 4th machine between the Cisco and 3
> servers?  That could work also.  You wouldn't make it a masq box, just
> configure it to pass packets based on the rules.
> - James
> -----Original Message-----
> From: Alson van der Meulen [mailto:alson@flutnet.org]
> Sent: Monday, October 22, 2001 6:58 AM
> To: Debian Security List
> Subject: Re: Firewall Related Question
> On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote:
> > I've got some simple questions related to using a Firewall on
> > some single pubblic Debian Boxes, I choose to post my questions
> > here because I've always securitty in mind during the Developing
> > time of my Network Services.
> >
> > Let me asume I've got a simple Network with 3 Pubblic Debian
> > Servers and 1 Cisco Router (Internet Gateway).
> >
> > The router belongs to my Connection ISP so I can't configure it,
> > but onlu use it for Internet connectivity.
> >
> > The 3 Debian Boxes are under my full control.
> >
> > The best way to protect my Debian Servers would be to install
> > a Firewall on my Gateway (Cisco Router) but actually I can't,
> > so my question is: Can I install a Firewall on each of my Debian
> > Boxes to filter/block incoming and outgoing Network Traffic ?
> >
> > Is this a good choice ? or should I put another machine in my
> > Network, between the Gateway and the Servers, which acts as Firewall ?
> You can just configure a packet filter on all your servers, the main
> disadvantage is that it's more difficult to administer

Reply to: