Dear All, I have a question on shorewall but do excuse me if im silly, shorewall is a real marvel piece of software and i do owe a million to developers n specially Tom and also the excellent support, i am using shorewall in my organistion n its works so perfect. now i have recommeded it to a organistion where they gonna host a very high secure webserver for online transactions now what i want to know is. 1) any special considerations need to be taken while setup of the firewall rules for utmost security n speed 2)is it better to host the server on a private Ip for security instead of public IP and do the nat on shorewall firewall n will it effect the speed ?? Thanks n really appeciate Regards simon ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hello Simon, simon@kmun.gov.kw wrote:> > now what i want to know is. > > 1) any special considerations need to be taken while setup of the firewall > rules for utmost security n speedHere are a few ideas that come to mind. a) Don''t allow ANY connections to the firewall from the net. Administer the firewall from its console or from systems behind it. Restrict which systems can connect to it. b) Allow only the outbound traffic from the server that is essential to its operation. c) Use a minimum of rules (for speed). d) Configure the firewall with FASTACCEPT=Yes (again, for speed). e) Configure Shorewall to start before the network interfaces are brought up. That means that you cannot use any Shorewall feature that requires interfaces to be UP when Shorewall starts. This avoids momentary "holes" during boot up of the firewall.> > 2)is it better to host the server on a private Ip for security instead of > public IP and do the nat on shorewall firewall n will it effect the speed > ??If the firewall is administered properly, there should be no additional security offered by NAT. On the other hand, NAT offers protection in the event that the firewall is accidentally opened. I don''t believe that the effect on speed is significant but then I haven''t measured it either. So long as you have fast enough Firewall hardware, it shouldn''t matter anyway. Hopefully other list readers have additional suggestions for you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > now i have recommeded it to a organistion where they gonna host a very > high secure webserver for online transactions >I don''t think you have to care too much about speed as long as the firewall is on decent hardware. If you want to increase security I recommend to add additional layers to your firewall infrastructure. For websevers, a reverse proxy can give you additional security on the application layer. For example you could check for valid URL''s before the request hits your webserver. Another advantage is that you could also terminate SSL connections on the reverse proxy and therefore reduce the load on the webserver. To increase security further you could put the reverse proxy and the webserver in different DMZ''s, or even have more than one firewall. FW1 -> rev. proxy -> FW2 -> webserver Pound is a nice reverse proxy I''m using in different places: http://www.apsis.ch/pound/index_html Regards, Simon ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV