Thread: Firewall setup
Hi, I have a PHP4 + PostgreSQL site that I have been working on for several weeks now. We're getting ready to put up the production site very shortly. I would like to keep the database separate from the web server. PostgreSQL should be located behind the firewall and the web server outside. How do I work that with the firewall? If I open up the database port does that mean I put my database at risk? Any ideas? Derek Del Conte - derek@gambitdesign.com gambitdesign.com provides all of your networking needs.
Very simple, you only allow packets destined for the machine with the db server at the dbserver port _across_ the firewall (from the outside) that originated from the web server's IP address. -- Close your eyes. Now forget what you see. What do you feel? -- My heart. -- Come here. -- Your heart. -- See? We're exactly the same. Jon Smith -- Senior Math Major @ Purdue On Tue, 4 Jul 2000, Derek Del Conte wrote: > Hi, > > I have a PHP4 + PostgreSQL site that I have been working on for several > weeks now. We're getting ready to put up the production site very shortly. > I would like to keep the database separate from the web server. PostgreSQL > should be located behind the firewall and the web server outside. How do I > work that with the firewall? If I open up the database port does that mean > I put my database at risk? Any ideas? > > > Derek Del Conte - derek@gambitdesign.com > > gambitdesign.com provides all of your networking needs. > >
On the other hand, you may want to secure things a little bit more. Make yourself an ultra-locked-down firewall (like a Linux firewall doing nothing but IP masquerade - very nice) that disallows all incoming packets from its routable IP, except for those destined for port 80. Forward every connection destined for port 80 on your firewall to port 80 on your web server, which would be located inside the firewall along with your database server. Voila! You have yourself an ultra-secure site, as long as you properly lock down your firewall (turn off telnet, ftp, etc.). If you need to access any other services from the outside, you can usually just forward the correct ports - unless you're doing FTP or some other crAZy protocol. Neil -----Original Message----- Very simple, you only allow packets destined for the machine with the db server at the dbserver port _across_ the firewall (from the outside) that originated from the web server's IP address. -- Close your eyes. Now forget what you see. What do you feel? -- My heart. -- Come here. -- Your heart. -- See? We're exactly the same. Jon Smith -- Senior Math Major @ Purdue On Tue, 4 Jul 2000, Derek Del Conte wrote: > Hi, > > I have a PHP4 + PostgreSQL site that I have been working on for several > weeks now. We're getting ready to put up the production site very shortly. > I would like to keep the database separate from the web server. PostgreSQL > should be located behind the firewall and the web server outside. How do I > work that with the firewall? If I open up the database port does that mean > I put my database at risk? Any ideas? > > > Derek Del Conte - derek@gambitdesign.com > > gambitdesign.com provides all of your networking needs. > >
No religious war happening here. Linux is what I've got set up at work and at home, and it's where I've got most of my Unix experience from. I'm thinking of putting OpenBSD or FreeBSD on one of my boxes at home, though, just to try it out. The thing I like about having a firewall that does port forwarding is that it's easier to have a heterogenous environment behind the firewall that provides all the different services. For instance - me and the guy upstairs have networked all of our machines and are sharing a DSL using Linux and IP Masquerade. He's working on his MCSE (horrors), so he has to learn how to set up the different services on his NT box. For the most part, we just forward the right ports from the firewall to the NT box. And I've got a web server behind the firewall running Linux. Anyway, whatever setup you've got, any web server should only allow connections on port 80 at the routable IP. It's just easier to keep the scr1p7 k1dd13s out when you've only got one service to possibly exploit. And if it's a relatively dumb one (like HTTP), that's even better. Neil -----Original Message----- From: Peter Galbavy [mailto:peter.galbavy@knowledge.com] Sent: Thursday, July 06, 2000 9:19 AM To: Neil Toronto; pgsql-admin@postgresql.org Subject: Re: [ADMIN] Firewall setup > Voila! You have yourself an ultra-secure site, as long as you properly lock > down your firewall (turn off telnet, ftp, etc.). Not trying to start a reigious war, but for this sort of thing look at OpenBSD (http://www.openbsd.org) Apart from the ongoing code audit, the transparent filtering bridge is a great backfill for filtering, as it requires no change to the "shape" of your network. Peter
> Voila! You have yourself an ultra-secure site, as long as you properly lock > down your firewall (turn off telnet, ftp, etc.). Not trying to start a reigious war, but for this sort of thing look at OpenBSD (http://www.openbsd.org) Apart from the ongoing code audit, the transparent filtering bridge is a great backfill for filtering, as it requires no change to the "shape" of your network. Peter