Date: Mon, 26 Nov 2001 00:09:41 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: MikeM <MyRaQ@mgm51.com> Cc: G Brehm <gbbrehm@yahoo.com>, security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126000941.C222@gohan.cjclark.org> In-Reply-To: <200111242124560932.023F3386@home.24cl.com>; from MyRaQ@mgm51.com on Sat, Nov 24, 2001 at 09:24:56PM -0500 References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 24, 2001 at 09:24:56PM -0500, MikeM wrote: [snip] > I'm not sure I agree with your comments. Yes, your architecture is more akin to the origin of the term "DMZ", but is that the real functionality that we want to provide? Should we be more concerned with staying within the strict definition of the military term "DMZ" or should our firewalls provide the needed function? The needed function is maintaining defense from the hostile network. A layered approach is a good way to do this. > In my "DMX", the server only sees port 80 traffic. *only port 80* I cannot possibly provide that functionality with your strict interpretation of a DMZ firewall. Given the options of tossing aside your strict definition of DMZ of re-architecturing my firewall, I think I'd vote for tossing aside your definition. Why can it not only see such traffic? On the external firewall (and from the internal network to the server too if you'd like), you only pass port 80 to and from the server. No other traffic is allowed to the server. I don't understand why you claim I cannot do this. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011126000941.C222>