Doing Routing On My Production Server

[Olivier Nicole]

> I'm updating my firewall and I've found a nifty how-to that recommends 
> using a BSD box in front of another box as your firewall, using the 
> first as a router and passing one NIC to the other box. Can't all that 
> be done from the same box?

I am not sure I know what you are doing. What do you have on your
production server.

If you have one web server as production server and a serie of
workstations on a NAT'ed local network, it is possible to have your
production server hook onto the network and do the NAT stuff for your
local network. It works, but it is certainly not advisable (for
anything except home network?). A web server and a router/NAT are two
very distinct type of machine, resources, needs, so it is better to
leave them separated.

On a web serveryou will end up adding lot of ports/external softwares,
each of them having their possible flaws, and needing frequent
updates, a router is a stock system, etc.

Now the firewall thing. Security is build by adding level after level
of different security features in order to slow down a hacker. There
is no "one solve it all" solution.

So having a global firewall running on a router machine is a good one
more level solution. You will still run a firewall on your production
server (and TCP wrapper, and disable uneeded services, and properly
bind each service to only the needed interfaces). And if your
router/firewall is of different type than your server, maybe one is
faulty and can be break through but the second will not open back door
to the same defect.

In fact, but that is not a commonly shared thought, I like the
firewall to be on an IP less machine, sitting like an Ethernet device
that cannot be contacted through TCP/IP.

Olivier