[kwlug-disc] firewall question

Insurance Squared Inc. gcooke at insurancesquared.com
Mon Feb 16 19:34:27 EST 2009


I've got a database inhouse here running on a linux server...our client 
DB. Normally I'd just disallow port 80 at the router and call it done 
for security :).  However, the database takes input from my website.  
HTML forms are routinely POSTED to a specific program on the inhouse 
server.  So I've got port 80 pointed at the server.  That works fine, 
but now my DB server is exposed to the world.

If it was a webserver, I wouldn't worry about it. But if it was a web 
server, I wouldn't be running client data on it.

What's my best/easiest security solution?  Basically I need one way in 
for my webserver to POST records to the DB.  No external http: access 
(other than internal to my network) necessary.

I'm thinking along the lines of:
- can I set my router to direct incoming POSTS to the server, but not 
allow anything out?  This is just a standard home QOS router.
- Do I just use an htaccess file to only allow in/out access from 
internal IP's, and only incoming from external IP's?
-  worst case, do I delve into IPtables?

The first one is the one I like, but I don't think it's possible.  The 
second is easy for me to implement, but makes me more nervous.  The 
third is possibly more secure than the second one but for me, much more 
complex to implement.

Thoughts?

-glenn




More information about the kwlug-disc mailing list