Just curious about something. What issues arise when you put a web server on the same machine as the firewall? I only want the webserver to server html and small graphics, so i figure it would be ok to do. Is there any reason not to do this?
Issues with running freebsd web server with firewall on same machine
- Thread starter TechBoyJK
- Start date
This is what I am thinking and let me know if I am wrong here.
Let's say I build a solid firewall using FreeBSD and packet filter/ or ip tables. (can i run packet filter on freebsd? i though it was only for openbsd) I am very diligent to only allow necessary IP's and only the necessary ports to pass. I have all unnecessary services not only stopped but removed if possible. Let's say this is the front end machine that is directly connected to my host's network.
The machine is the following (which is why i chose Free over Open)
Dual CPU XEON 2.4GHZ
2GB RAM
2x9GB SCSI raid 0
Onboard GigE Nic
Onboard 10/100
The 10/100 interface will be the public interface.
The GigE interface will be the private interface.
GigE will go to GigE switch with multiple database, application, email servers.....
This is the machine that will be in front, I am getting a good deal and thats that. When I get this particular machine I am alloted more data transfer than with any other machine, so the additional costs of the machine are outweighed by the bonus of additional transfer. My other machines don't need this power, but I want to funnel all traffic through this front end machine because this is where I am getting data transfer cheapest. The entire content of the web site, in regards to HTML and corresponding graphics is at most 20MB. I figure I can cache this content at boot time. I know I could put the web server behind the firewall and just forward to this machine, but then I have to get an additional machine because I don't want the web server on the database or otherservers.
I guess the security risk is that someone could find a weakness in the web server, where as the rest of the machine is solid, but crack it through the webserver? Then maybe run something through the webserver to disable the firewall?
Let's say I build a solid firewall using FreeBSD and packet filter/ or ip tables. (can i run packet filter on freebsd? i though it was only for openbsd) I am very diligent to only allow necessary IP's and only the necessary ports to pass. I have all unnecessary services not only stopped but removed if possible. Let's say this is the front end machine that is directly connected to my host's network.
The machine is the following (which is why i chose Free over Open)
Dual CPU XEON 2.4GHZ
2GB RAM
2x9GB SCSI raid 0
Onboard GigE Nic
Onboard 10/100
The 10/100 interface will be the public interface.
The GigE interface will be the private interface.
GigE will go to GigE switch with multiple database, application, email servers.....
This is the machine that will be in front, I am getting a good deal and thats that. When I get this particular machine I am alloted more data transfer than with any other machine, so the additional costs of the machine are outweighed by the bonus of additional transfer. My other machines don't need this power, but I want to funnel all traffic through this front end machine because this is where I am getting data transfer cheapest. The entire content of the web site, in regards to HTML and corresponding graphics is at most 20MB. I figure I can cache this content at boot time. I know I could put the web server behind the firewall and just forward to this machine, but then I have to get an additional machine because I don't want the web server on the database or otherservers.
I guess the security risk is that someone could find a weakness in the web server, where as the rest of the machine is solid, but crack it through the webserver? Then maybe run something through the webserver to disable the firewall?
Well, you can get around certain things like that by chrooting the webserver (which OpenBSD does by default, as far as I know), but that's still only a 99.9% solution, which still leaves that errant 0.1%.
On a strictly corporate network, you're best separating the two, but I understand if that's not practical. We have a firewall here that is running DHCP, as much as I would like that to change...
On a strictly corporate network, you're best separating the two, but I understand if that's not practical. We have a firewall here that is running DHCP, as much as I would like that to change...
Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
And if the web server is accessable at all the same thing could happen, crack the web server and still be able to do anything because port 80 is forwarded to it via the firewall and unless the firewall is inspecting and 'cleaning' the requests pretty much all traffic will get through.
Agreed, but that access should be limited to the DMZ, with limited access to the application network and corporate type network.
no DMZ for this farm, everything needs to be behind a firewall. The front end should only be accepting connections via port 80. Should only be one port of entry.
I had the idea of putting the webserver off in a dmz, but thats besides the point of my problem. I need the webserver to be on the front end machine. See the thing is, I get a killer deal on a certain server, which is only a good deal to me if its the front end machine since the deal is based on additional bandwidth. The catch is, the machine is a dual xeon as mentioned in my other post, which i my mind is total overkill for a firewall. I thought about putting the web server first and then forward everthing else to the firewall, but then there is a firewall between the web server and other application servers, and I don't really want that headache.
Its either this, or I put the webserver on one of the application servers, like the email server or something. I dunno this might be better than putting it on the firewall though.
Are there any devices that are totally ram based that are good for hosting web pages? Could I just build a machine with no harddrives, compile a custom OS on a 256 MB USB 2.0 thumbdrive, boot from that, and run everything in ram? I mean, I could easily buy a P3 500 mb+cpu, stick 512Megs of ram in it, and whalla, web server. ???
I had the idea of putting the webserver off in a dmz, but thats besides the point of my problem. I need the webserver to be on the front end machine. See the thing is, I get a killer deal on a certain server, which is only a good deal to me if its the front end machine since the deal is based on additional bandwidth. The catch is, the machine is a dual xeon as mentioned in my other post, which i my mind is total overkill for a firewall. I thought about putting the web server first and then forward everthing else to the firewall, but then there is a firewall between the web server and other application servers, and I don't really want that headache.
Its either this, or I put the webserver on one of the application servers, like the email server or something. I dunno this might be better than putting it on the firewall though.
Are there any devices that are totally ram based that are good for hosting web pages? Could I just build a machine with no harddrives, compile a custom OS on a 256 MB USB 2.0 thumbdrive, boot from that, and run everything in ram? I mean, I could easily buy a P3 500 mb+cpu, stick 512Megs of ram in it, and whalla, web server. ???
boy does this sound like an odd situation....
So you're leasing or something? I'm assuming thats why the bandwidth and hardware are hand-in-hand...
Just so I don't suggest anything stupid, could you explain the situation a bit more? The machines involved, purposes, and i guess... bandwidth they're each alloted.
So you're leasing or something? I'm assuming thats why the bandwidth and hardware are hand-in-hand...
Just so I don't suggest anything stupid, could you explain the situation a bit more? The machines involved, purposes, and i guess... bandwidth they're each alloted.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter