Just my 2p worth...
IIRC One of the rules that you would have in your firewall would be to
not let communication from the Internet through the fw to the inside -
connections from the outside should only be allowed to the dmz.
As soon as you introduce a path from the dmz to the inside you have
compromised the firewall.
Personally, I would plug the firewall (from inside) to the database
(in the dmz) - this should mean you treat the firewall as the database
(from the inside).
As you've already said - you have no problem accessing the database
from the dmz so this *should* fix your problem. (Unless you're already
plugging it in this way).
As I said, just my 2p worth - the plugging thing may not be a great
solution but it's one I've used in the past to connect to a terminal
server through a firewall, which workd just fine.
Cheers,
Mark Watts
-----Original Message-----
From: Ola Samuelson [SMTP:[EMAIL PROTECTED]]
Sent: Friday, March 16, 2001 8:33 AM
To: [EMAIL PROTECTED]
Subject: Firewall/DMZ and placement of database
Hi!
Any advice on this is appreciated.
I have ONE database, it has to be one and only one, no replication or
such.
It has to accessible from the webservers in DMZ and from the private
net.
There is a three-legged DMZ setup and thre firewall is running
ipchains.
Problem/question:
The firewall seems to affect the database communications negatively and
months of test proves that.
I have to do one of following:
1. Solve the problem with the firewall so that it does not disrupt the
database communications.
(Tons of broken pipes to the remote database etc. I use a pool that
hands out connections
and revives "dead" connections but after a while - it all dies. I know
that tcp times out
but I renew all conenctions BEFORE that with a special thread.
Accessing
same data from
a machine on same subnet works without ANY errors. So I guess it has to
be problem
with "leaving" the subnet. Or ...?)
or
2. Move the database.
My questions:
1. Suggestions as far as the firewall/database problem anyone?
2. I might have to solve the problem by moving the database.
Even if there is a risk by doing so - I might have to.
My idea was
a) to use double nics in the database server
one connected to the DMZ and one to the local net. Config of DMZ-nic on
database server to that it is part of DMZ
b) Config the firewall so that ALL access to the database machine via
DMZ is DENIED
on all ports.
c) Setup tcp wrappers on database server to allow only web server comm
via
NIC connected to DMZ
If I only have one database server - what do you guys suggest?
Any constructive advice or hints are most welcome!
TIA
//OLAS
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
