Scenario: 5 PC's --- 10/100 switch -- OpenBSD -- Broadband router -- Internet
5 Windows XP workstations on a LAN connected to an OpenBSD server running Samba, DHCP, DNS, SpamAssassin. A 2nd nic in the OpenBSD box goes to a broadband internet connection and PF is enabled and configured securely. Ideally, you want to layer your security services and not run your firewall and file server on the same box, but in a small budget operation that's not always feasible. Would it be preferred to hide the OpenBSD server behind a NAT broadband router (Linksys, Dlink, etc) that the client likely already has in place? Is that extra layer of protection worth the inconvenience? I'd like to create a simple product for SOHO customers for file storage, DVD backups, spam/virus filtering, etc. It's obviously going to be more secure than the same 5 PC's behind the NAT router alone, but should I recommend the box is behind a NAT router for that extra level of protection or is that just a false sense of security? Comments?
