[kwlug-disc] firewall question
Insurance Squared Inc.
gcooke at insurancesquared.com
Mon Feb 16 19:34:27 EST 2009
I've got a database inhouse here running on a linux server...our client
DB. Normally I'd just disallow port 80 at the router and call it done
for security :). However, the database takes input from my website.
HTML forms are routinely POSTED to a specific program on the inhouse
server. So I've got port 80 pointed at the server. That works fine,
but now my DB server is exposed to the world.
If it was a webserver, I wouldn't worry about it. But if it was a web
server, I wouldn't be running client data on it.
What's my best/easiest security solution? Basically I need one way in
for my webserver to POST records to the DB. No external http: access
(other than internal to my network) necessary.
I'm thinking along the lines of:
- can I set my router to direct incoming POSTS to the server, but not
allow anything out? This is just a standard home QOS router.
- Do I just use an htaccess file to only allow in/out access from
internal IP's, and only incoming from external IP's?
- worst case, do I delve into IPtables?
The first one is the one I like, but I don't think it's possible. The
second is easy for me to implement, but makes me more nervous. The
third is possibly more secure than the second one but for me, much more
complex to implement.
More information about the kwlug-disc_kwlug.org