On Tue, Jul 03, 2007 at 09:09:02PM -0500, Ron Johnson wrote: > On 07/03/07 20:53, Roberto C. Sánchez wrote: > >On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote: > >>On 07/03/07 13:25, Andrew Sackville-West wrote: > >>>Dom0: local file server (video, music, local backups) > >>> > >>> DomU1: firewall > >>I understand the need for a small, "separate" firewall. > >> > >>> DomU2: dmz mail/imaps server > >>> DomU3: dmz apache server > >>> > >>>the primary reason is as a testbed for me to learn stuff. It has the > >>>nice feature of segmenting functionality without more machines > >>>running. > >>But then you are trying to statically do (allocate CPU and RAM) what > >>the kernel can do so much better. > >> > >What about that if his webserver gets hacked, then his mail server is > >safe and vice versa? > > If you own the web server, it's likely to be "easy" to crack other > machines on the network. > except to get to the other machines, there are only certain allowed ways. For example, assume, from Roberto's comment, that my webserver gets hacked. Which machines are now easier to hack? Certainly nothing on my local (non-DMZ) LAN as those machines are subject to the same firewall rules as they were before. The rules from the net to local are the same as the rules from the DMZ to local. Maybe the mail server is easier (how?) because you are into the DMZ, but the mail server has the same ports open as it always did: 25 and 993. So what's different. I'm not asking to refute your claims, but to learn. A
Attachment:
signature.asc
Description: Digital signature