depends on your "paranoia" level.
with the scheme below, your firewall is accepting incoming packets (going to
webservers)
which are not initiated by outgoing requests. And this introduces a risk, be
it theoritical.
For this reason, some people prefer to put the "public" servers in the
outside and then
- either consider them as sacrificed
- or set up another firewall to protect them. this however has a cost.
I pesonally prefer to configure the corp firewall to only allow outgoing
traffic. the config is
smple and I don't have to play with rules that depend on dest addresses,
ports and the such.
moreover, what is gained from a firewall if my server is completelly public?
not much if the server
is well configured. for example, the server might be running tcp_wrappers
and configured as a host (instead of gateway)
with all the unnecessary services disabled. Then it does not need a
firewall. you could argue that then it is configured as a firewall. I do not
need the same level of protection for this server and for my private hosts,
which may be running
"unsecure" systems and used by users whose job is not to ensure the security
of the site.
[since I am not a fw admin, my claims may be biased though]
I would say that as for any question, the right answer, if one exists,
depends on what you want.
mouss
John Adams wrote
>
> Everything behind the firewall, regardless of purpose.
> +-------------- eth1 webservers
> outside eth0 -----[firewall]
> +-------------- eth2 inside
>
> Protect everything, trust noone. Also place a router prior to this to do
> ingress filtering.
>
> -j
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
