dmz server setup - opinions

Jeff jeff.dyke at gmail.com
Mon Aug 1 01:54:06 GMT 2005 

Chuck Swiger wrote:
> Jeff wrote:
> 
>> I realize this may be partial religion and then potentially bias due 
>> to the list but here goes anyway.
> 
> 
> There is nothing wrong with bias, per se, if you are aware that it 
> exists. :-)
> 
>> I need to build a DMZ server, of sorts, that will sit on the public 
>> internet. It will take in data from embeded devices and in turn 
>> services from behind a firewall will pull data from it to later 
>> process.  The main processes that i need to run are ftpd,httpd, 
>> possibly smtpd(sasl2,tls), and later proprietary code that talks to 
>> the embeded devices.
> 
> 
> A "DMZ server" implies you are setting up a "screened public subnet" 
> along with a backend LAN subnet.  If you are setting up a firewall with 
> three interfaces, OK, but you should avoid running any services on that 
> box except for IPFW/dummynet/PF/ALTQ/whatever.
> 
> If you are setting up a box that has two interfaces, one with a public 
> IP and one doing NAT to a private LAN subnet, that is still a firewall, 
> but you don't have a DMZ.

understood, thats the reason for the 'of sorts'.
> 
> If need be, you can run proxy services on that box, but it still would 
> be better from the standpoint of security to run them on an internal box 
> via NAT forwarding of whatever ports are needed.
> 
>> Originally i was thinking of using OpenBSD, as it seems to lend itself 
>> very nicely to the public but secure environment.  On the other hand, 
>> if i were to use FreeBSD, i could jail each process, granted i could 
>> also chroot each process in OpenBSD and httpd is already done for me.
>>
>> I will be running a firewall on the box either way and will also have 
>> sshd and rsyncd running, only allowing access from the internal network.
> 
> 
> OK.
> 
>> I have move expierence with freebsd, but my limited knowlegdge based 
>> on an install and configuration of openbsd3.7 has made me comfortable 
>> with it as well.
>>
>> Any opinions on which OS is better suited for the task?  Security and 
>> reliablity are the foremost concers( aren't they everyones ) and i 
>> think both OS are more then up to the task.
> 
> 
> Both OSes are up to the task.  If you are going to just set up a 
> firewall, using OpenBSD would be an easy choice.
> 
> However, it sounds like you plan to install at least your custom 
> software, a web server, and several other 3rd-party pieces: FreeBSD 
> ports makes doing that and keeping it up-to-date securely very easy via 
> portaudit & portupgrade.
> 
> Many people seem to value things like "cost" and "performance", or even 
> "convenience", more highly then they value "security" or "reliability".  
> Don't take this for a suggestion to change what you are doing, however.  
> :-)
true.  Cost is just my time, and i feel performance between the two is 
negligible( Dell 750 Pentium 4 3GHz, 1G Ram 2 73G Drives RAID 1 ). I'd spend 
extra time/money, within reason, for security and reliability...how's it go? 
pay me now, or pay me later....heh.

I appreciate the input.  I'm now leaning going back inside the firwall with 
this, with freebsd, using jails for httpd/ftpd and allowing the current external 
firewall to continue its work using NAT and if i need the DMZ, set up an actual 
one, not just a public cache server, as i had explained here.

again, thanks
jd

>

More information about the freebsd-questions mailing list