Date: Sun, 13 Mar 2005 03:15:57 -0800 From: BSD Mail <bsdmail@gmail.com> To: FreeBSD-questions@freebsd.org Subject: To Jail behind NAT or not. Message-ID: <8be663db05031303151d97a0e3@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Greetings all,
I have the following topology:
Internet ----- Gateway ----- DMZ
|
LAN
I'm using PF to redirect traffic to the DMZ machine which carries the following:
bind9;postfix;dovecot(imaps,pop3s),openwebmail;apache13;isc dhcp;sfs,ftps
I have ssl certs for services such as mail/web/ftp.
The gateway machine has 3 NICs and doesn't have any service enabled on
its external interface nor internal. Remote access is denied to the
gateway only console access allowed. It only forwards traffic to the
inside DMZ. Also my LAN is on a different subnet
from the DMZ.
If all my services are behind that NAT box is it premature or too much
paranoid to have multiple jails one for postfix another for apache and
so on..on the DMZ machine that is hosting all these services ? Or can
I say that I'm protected to a good extent that jail won't give me any
additional protection because services are behind NAT ?
I use SSH keys to access anymachin on my network, and I have OTP
configured if I needed access from outside my network for college.
Thanks for the insight.
--
Regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8be663db05031303151d97a0e3>