Sam Stickland wrote:
Roland Dobbins wrote:
But even more than that, putting your public-facing DNS (or any other
kind of server) behind a firewall is a very serious architectural
mistake; firewalls in front of public-facing servers provide no
security value whatsoever, and degrade the overall security posture
due to the issues denoted above.
Roland,
This seems to imply that the servers would need a second interface for
management, with static routes over-riding the default? Is this your
preferred approach?
Sam
If you are using a linux host, not only is it simple enough to use dot1q
subinterfaces for internal vs. external interfaces, its also fairly
elegant to use policy routing.
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH03.web.html
And while you are at it, you should consider adopting the approach that
all service addresses are to be only service addresses, put it on a
loopback interface.
Here is a simple little init.d script that makes linux pbr convenient.
#!/bin/sh
PATH=/sbin
# table needs to be defined in /etc/iproute2/rt_tables
table="special-exit"
function policyroute
{
if [[ "$1" != "" ]]; then
ip route $1 0.0.0.0/0 table $table via 192.168.0.14
ip route $1 192.168.0.0/28 table $table dev eth0
ip rule $1 from 192.168.0.0/28 table $table
fi
}
case "$1" in
delete | stop)
policyroute del
;;
add | start)
policyroute add
;;
restart | reload)
policyroute del
policyroute add
;;
*)
exit
;;
esac
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
