Port Forwarding vs. Running Servers on Firewall

[Keith Mastin]

> If the purpose of this question is to avoid having to run the firewall
> and the internet services server on separate machines, what about
> running the email, web or whatever servers in user mode Linux 'jails'
> within the firewall, or maybe visa versa?

Jails will make it harder to crack out of a service into the main system,
but it's doable. The whole point is to make the firewall as impervious as
possible, which is in contradiction to the functions of a server. running
servers on the firewall presents an easy single point of failure to your
network, your security and your users security. If there's a better way
that's resonable, I would say doing it anyway could be irresponsible in
the long run.

Check out esmith.org. There's also clarckconnect, and more, but it's a
long list. All of them share the single point of failure weakness. Are
they hackable? Check them out with nessus and judge for your self.

Put one of these behind a little firewall/router do-hickey from netgear,
linksys or any other favored vendor for less than $100 and you should be
mostly okay. That would be my least-expensive-to-deploy recommendation.

-- 
Keith Mastin
BeechTree Information Technology Services Inc.
Toronto, Canada
(416)696 6070


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml