Chuck Swiger wrote:
Jeff wrote:
I realize this may be partial religion and then potentially bias due
to the list but here goes anyway.
There is nothing wrong with bias, per se, if you are aware that it
exists. :-)
I need to build a DMZ server, of sorts, that will sit on the public
internet. It will take in data from embeded devices and in turn
services from behind a firewall will pull data from it to later
process. The main processes that i need to run are ftpd,httpd,
possibly smtpd(sasl2,tls), and later proprietary code that talks to
the embeded devices.
A "DMZ server" implies you are setting up a "screened public subnet"
along with a backend LAN subnet. If you are setting up a firewall with
three interfaces, OK, but you should avoid running any services on that
box except for IPFW/dummynet/PF/ALTQ/whatever.
If you are setting up a box that has two interfaces, one with a public
IP and one doing NAT to a private LAN subnet, that is still a firewall,
but you don't have a DMZ.
understood, thats the reason for the 'of sorts'.
If need be, you can run proxy services on that box, but it still would
be better from the standpoint of security to run them on an internal box
via NAT forwarding of whatever ports are needed.
Originally i was thinking of using OpenBSD, as it seems to lend itself
very nicely to the public but secure environment. On the other hand,
if i were to use FreeBSD, i could jail each process, granted i could
also chroot each process in OpenBSD and httpd is already done for me.
I will be running a firewall on the box either way and will also have
sshd and rsyncd running, only allowing access from the internal network.
OK.
I have move expierence with freebsd, but my limited knowlegdge based
on an install and configuration of openbsd3.7 has made me comfortable
with it as well.
Any opinions on which OS is better suited for the task? Security and
reliablity are the foremost concers( aren't they everyones ) and i
think both OS are more then up to the task.
Both OSes are up to the task. If you are going to just set up a
firewall, using OpenBSD would be an easy choice.
However, it sounds like you plan to install at least your custom
software, a web server, and several other 3rd-party pieces: FreeBSD
ports makes doing that and keeping it up-to-date securely very easy via
portaudit & portupgrade.
Many people seem to value things like "cost" and "performance", or even
"convenience", more highly then they value "security" or "reliability".
Don't take this for a suggestion to change what you are doing, however.
:-)
true. Cost is just my time, and i feel performance between the two is
negligible( Dell 750 Pentium 4 3GHz, 1G Ram 2 73G Drives RAID 1 ). I'd spend
extra time/money, within reason, for security and reliability...how's it go?
pay me now, or pay me later....heh.
I appreciate the input. I'm now leaning going back inside the firwall with
this, with freebsd, using jails for httpd/ftpd and allowing the current external
firewall to continue its work using NAT and if i need the DMZ, set up an actual
one, not just a public cache server, as i had explained here.
again, thanks
jd
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"