[kwlug-disc] firewall question

Tue Feb 17 14:45:32 EST 2009

So you must already have opened port 80 (as you've said).

If you said the equivalent to 'forward anything on port 80 to my db 
server' to get it working, and change it instead to only forward if it 
comes from your webserver, are you not done?

Insurance Squared Inc. wrote, On 02/17/2009 2:40 PM:
> Thanks all.
> I probably confused everyone when I said database server.  My webserver 
> resides in Toronto in a colo facility :).  The 'database' server isn't a 
> database server.  It's just a linux machine sitting in my office here in 
> New Hamburg running apache/mysql, which includes that CRM program we 
> talked about a few months ago.  The webservers in Toronto posts to a php 
> program running on a computer in the closet here in new hamburg.  The 
> local php program here then sticks it into mysql.  Then everyone 
> internally here accesses that database just by surfing to the IP of the 
> internal machine, i.e. 198.0.168.18.  But with that setup, external 
> baddies can see my database as well just by typing in my external IP.
> I think Cedric indicated that the WRT54G router will handle this.  
> That's the one that I've got...so I just need to do some reading on how 
> to do it.  Using the router/firewall seems the best way to me.
> g.
> 
> 
> 
> 
> unsolicited wrote:
>> Insurance Squared Inc. wrote, On 02/16/2009 7:34 PM:
>>> I've got a database inhouse here running on a linux server...our 
>>> client DB. Normally I'd just disallow port 80 at the router and call 
>>> it done for security :).  However, the database takes input from my 
>>> website.  HTML forms are routinely POSTED to a specific program on 
>>> the inhouse server.  So I've got port 80 pointed at the server.  That 
>>> works fine, but now my DB server is exposed to the world.
>> .
>> .
>> .
>>
>> Hi Glenn.
>>
>> I'm not quite clear on your setup - a flow / diagram might help. I've 
>> seen a couple of good responses, but neither seem to be the simple 
>> answer you would like to have. It sounds like you're headed for a DMZ, 
>> but your message doesn't read like you're looking for even that much 
>> work.
>>
>> It seems to me that what would be nice, since you have a webserver 
>> with all the security fiddly bits already in place, is to have your 
>> clients post to your webserver instead of directly to the database 
>> server, and have the webserver 'relay' the posts to the database 
>> server (and back). The database server would accept no internet 
>> connections (no ports open on the firewall).
>>
>> The nice thing about things like an ssh server is that you know ssh 
>> will just drop anything it's not happy with. If you're convinced the 
>> database server is equally robust, only spending time on legitimate 
>> data, you may be ok with the port open.
>>
>> Not to take anything away from the other 'really good things' in the 
>> other posts, but this may integrate well with what you already have. 
>> Whether it's 'sufficient' security or not, only you, and time, can tell.
>>
>> As John once said, there are best practices, and then there are what 
>> people usually do. Until they get burned.
>>
>> Do make sure you take regular backups of the data. (-: