Hi. I think I want to have the following system configuration, have all
my boxes running aok for development, but need advice.
Pound Server (listening on port 80)
Two zope client servers (both listening on port 8081)
One zeo server (listening on port 9999)

Is it best to have the pound box the only one in the DMZ, with the rest
behind the firewall? If so, do I implement SSL tunnels between pound box
and the two zopes? Will both zopes have to have Internet valid IP
addresses? Not sure how that works.

Or am I off and have to have just the zeo server behind firewall, with
rest of them outside? Same question them on how to connect two machines
with a tunnel thru firewall?  

I have read about port forwarding, but not implemented it yet. Is that
what I need to do this?

My goal is to have the zeo server and its storage drives inside my
network, so I can use network backup system already in place. I can then
also run zope as a client on cheap PC for packing and such admin work.

My second goal is to have security at maximum - which I take it = fewest
serves exposed to Internet.

I appreciate any help in this everyone!


Jamie T. Robe
Automation Team Leader
The Planning Commission
(813)272-5940
[...]

I put my pound server and backends on a separate VLAN on the inside of
my network, and then only allow access to the pound server on ports 80
and 443.  

Of course I have other rules to restrict that VLAN's access to the rest
of my inside networks, but that's just prudent anyway. :)

Joe
[...]
outside[...]
all[...]
rest[...]
box[...]
machines[...]
then[...]
fewest[...]
have[...]
pound(at)apsis.ch.[...]

Thanks Joe. Is VLAN the same as a DMZ? I know we keep our webservers in
the DMZ, but I see some diagrams in various online documents where the
actual zeo server or even zope clients servers are "inside" a firewall.
In your setup, your pound box is the only machine with a valid Internet
IP?

Jamie T. Robe
Automation Team Leader
The Planning Commission
(813)272-5940
[...]
made to improve your community today?[...]
www.PLAN2025.org


-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Friday, December 09, 2005 2:57 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Is it best to put the pound server
outside firewall and backends inside?


I put my pound server and backends on a separate VLAN on the inside of
my network, and then only allow access to the pound server on ports 80
and 443.  

Of course I have other rules to restrict that VLAN's access to the rest
of my inside networks, but that's just prudent anyway. :)

Joe
[...]
outside[...]
all[...]
rest[...]
box[...]
[...]
machines[...]
[...]
then[...]
[...]
have[...]
pound(at)apsis.ch.[...]
[...]

DMZ's are usually a separate segment with a routable (valid Internet) IP
range so that public machines can access the content on it.  The problem
you have is the Pound server would need access to the backends, which I
would consider private.

Instead of doing a DMZ, I do NAT.  So I have 32 routable IPs that I can
use to map.  In this case, one ip has ports 80 and 443 pointed to my
pound box, which resides on a private network with my backends.  I'm
sure no other traffic will get to that box because I've only allowed 2
specific ports.

In your case, maybe you should have your Pound machine have 2 NICs...
put the machine on the DMZ for one, and on the other connect to the
internal/private network that contains your backends.

I wouldn't put the backends on the DMZ because that would likely imply
that the outside world could hit your backends directly, which is
something I would personally avoid.

Joe
[...]
in[...]
firewall.[...]
Internet[...]
have[...]
rest[...]
with[...]
that[...]
work.[...]
fewest[...]
today...[...]
pound(at)apsis.ch.[...]

Thanks. I will try setting that same type thing up here. Also, do you
use Webdav and if so, how do you handle that? I was think of allowing
that directly to a backend from inside the network, and not opening port
1980 on thepound box.  The other thing would be to make it secure with
SSL?  I haven't done that at all.

Jamie T. Robe
Automation Team Leader
The Planning Commission
(813)272-5940
[...]
made to improve your community today?[...]
www.PLAN2025.org


-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Monday, December 12, 2005 9:31 AM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Is it best to put the pound server
outside firewall and backends inside?


DMZ's are usually a separate segment with a routable (valid Internet) IP
range so that public machines can access the content on it.  The problem
you have is the Pound server would need access to the backends, which I
would consider private.

Instead of doing a DMZ, I do NAT.  So I have 32 routable IPs that I can
use to map.  In this case, one ip has ports 80 and 443 pointed to my
pound box, which resides on a private network with my backends.  I'm
sure no other traffic will get to that box because I've only allowed 2
specific ports.

In your case, maybe you should have your Pound machine have 2 NICs...
put the machine on the DMZ for one, and on the other connect to the
internal/private network that contains your backends.

I wouldn't put the backends on the DMZ because that would likely imply
that the outside world could hit your backends directly, which is
something I would personally avoid.

Joe
[...]
in[...]
[...]
firewall.[...]
Internet[...]
have[...]
[...]
[...]
rest[...]
with[...]
that[...]
work.[...]
fewest[...]
today...[...]
pound(at)apsis.ch.[...]
[...]