I am about to set up two servers (one web, one DB) colocated in a datacentre.
Both will be Linux or BSD boxes (haven't decided yet!) running Apache, MySQL, DNS (bind/djbdns) and SMTP (probably qmail). Previous networks I've set up have always been using NAT or similar, so necessitating a dedicated firewall/NAT device which has usually been a linux box. However in this setup, how much extra protection can an external firewall give? The machines have to have open ports portforwarded through any firewall (80/25/etc) and I assume would remain exploitable to buffer overflows, bug exploits etc. I could restrict access to the other open system ports and services by turning them off, using ipchains/ipfilter and hosts.deny etc. DoS situations would be difficult to protect against even with an external firewall. What extra security will an external firewall actually provide? I suppose other nice features like VPN, etc, but what else? It's quite a busy site, so could ipfilter generate quite a lot of load, which could be shifted onto a dedicated firewall? Any tips or suggestions appreciated! Cheers John