I am a bit new to Linux, but for the last three years DMZ on a firewall has represented an open, unprotected address.
<snip>
In everything I have read and used, the last place to put a server is in the DMZ.
Well, Buck, you have just run into another well-known advantage of The Linux Way [tm], known as TIMTOWTDI: There Is More Than One Way To Do It. Whatever your sources are, you're welcome to go with what they say or recommend.
I, on the other hand, will offer the Internet "an open, unprotected access" to any part of my network over my dead body. Access to my internal network is forbidden entirely, but since I must offer access to my servers (kind of the point of having servers, after all) I try to make sure all traffic to/from my servers is "demilitarized", i.e. no hackers/crackers/script-kiddies welcome. My DMZ and my internal net are both behind a firewall and each separate from the other, with traffic to/from the DMZ very carefully controlled in all directions.
I want to prevent someone cracking my servers, but when it happens (hasn't happened yet in five years, but I see it as an inevitable event, it _will_ happen someday), I want to make it just as difficult for them to get into my internal network as it was to get into the server.
You don't like my definition...? No problem at all, don't use it. Use any other definition you wish that makes you happy. After all, it's your network. But since this is a discussion list, let's discuss: Your description put mail and web servers (those that need to offer access to the outside) in the DMZ, so (a) I'm not sure why this is "the last place to put a server" and (b) if I can offer both zones (internal and dmz) the protection each deserves and needs, why would I leave one of them bare-ass naked?
-- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx
-- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
