On Sat, 2009-06-06 at 19:54 -0400, Bill Davidsen wrote: > I have mixed feeling on that, I think if you don't run a formal DMZ: > > Internet----firewall1--------------------firewall2---internal_pvt_net > | | > http smtp > svr svr > > you are better with the web and mail servers on the firewall than > inside it, where if the server gets compromised it looks like a > trusted internal machine. Hackable thing on the firewall makes it easier to hack the firewall... If you were going for best practice, your firewall would be just a firewall, and do nothing else. And you'd still configure your network behind the firewall to distrust anything that's not necessary (firewalls on each machine). You should certainly do that on any network where it's possible for someone to connect an extra computer to it, somehow. Your router could also be more stringent than the usual unconfigured ones, doing what people commonly think of being the DMZ type of thing: That only some traffic could go to the web server, and only in certain directions. DMZ isn't what most people think - it's allowing unfiltered traffic to that device on the DMZ zone. It's not isolating the thing from everything else. The opposite, of a firewall, if you please. -- [tim@localhost ~]$ uname -r 2.6.27.24-78.2.53.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
