Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    XG-7100 1U for the webserver gateway

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 769 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      aie.sakaki
      last edited by

      Hello guys,

      I want to configure a Netgate XG-7100 1U for the webserver/database gateway. Which packages are essential to secure for a webserver?
      Thanks.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @aie.sakaki
        last edited by

        @aie-sakaki

        Are you sure you want to put a server/database on your firewall? That's considered very bad practice.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        DaddyGoD A 2 Replies Last reply Reply Quote 2
        • DaddyGoD Offline
          DaddyGo @JKnott
          last edited by DaddyGo

          @jknott said in XG-7100 1U for the webserver gateway:

          That's considered very bad practice.

          this has been a theme here many times ๐Ÿ˜‰

          +++edit:

          or does the OP want to set up an NGFW in front of the web/db server?
          https://forum.netgate.com/topic/154479/diagnostic-cleaning-up-after-being-hacked?_=1614166619925

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          1 Reply Last reply Reply Quote 1
          • A Offline
            aie.sakaki @JKnott
            last edited by

            @jknott
            I need to explain here, actually XG-7100 1U works as a firewall only with a global IP address on my network, and the webserver is with local IP, e.g., 192.168.1.10. on another machine. Pfsense forward all required ports to webserver 192.168.1.10.

            To secure XG-7100, I need to install some packages such as snort, squid proxy server, pfblockerNG, etc. Any recommendation for any extra package to secure the webserver?

            DaddyGoD 1 Reply Last reply Reply Quote 0
            • DaddyGoD Offline
              DaddyGo @aie.sakaki
              last edited by

              @aie-sakaki said in XG-7100 1U for the webserver gateway:

              Any recommendation for any extra package to secure the webserver?

              I would put this directly on the web server, it was invented for this:
              WAF
              https://modsecurity.org/

              BTW:
              Be careful, with a lot of filtering and restrictions on NGFW in front of WEB server, because in the end no one can see your page ๐Ÿ˜‰

              Cats bury it so they can't see it!
              (You know what I mean if you have a cat)

              A 1 Reply Last reply Reply Quote 1
              • A Offline
                aie.sakaki @DaddyGo
                last edited by

                @daddygo

                I agree that Pfsense can't do much for a real webserver, and a Web Application Firewall should install on webserver for protection, such as ModSecurity or Cloudflare.
                Although I think Pfsense is the best open source firewall with well-explained documents and videos.
                Which one do you recommend me, ModSecurity or Cloudflare? Thanks for the help.๐Ÿ˜Š

                DaddyGoD 1 Reply Last reply Reply Quote 0
                • DaddyGoD Offline
                  DaddyGo @aie.sakaki
                  last edited by

                  @aie-sakaki said in XG-7100 1U for the webserver gateway:

                  I agree that Pfsense can't do much for a real webserver,

                  You are on the right way now ๐Ÿ˜‰

                  Many people use pfSense in front of their web server, but I don't think that's the solution.
                  The web server needs to be fast and secure, not to mention the question of redundancy and operational safety.

                  So an extra tool like NGFW brings more error options into the system.
                  Examination of all packages with NGFW (+IPS, +IDS, +DNSBL, etc.) slows down the whole process, on high-load web servers, this can cause a significant reduction in capacity.

                  (not to mention that NGFW requires daily administration, in extreme cases hourly - which web server admin has time for this +plus)

                  To your question, I can tell you we use CF PRO plan (20USD only / mo) and Modsecurity WAF + OWASP rules in combination.
                  https://www.cloudflare.com/plans/

                  Web server on:
                  -Debian 10.x (Buster) 64bit
                  -Apache Worker, factory package

                  Note:
                  -the monitoring for updates is essential!

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  A 1 Reply Last reply Reply Quote 1
                  • A Offline
                    aie.sakaki @DaddyGo
                    last edited by

                    @daddygo
                    The picture is so clear for me now. I much appreciate your advice and time. CF PRO plan is right at a reasonable cost. I will prefer it. Thanks๐Ÿ˜Š

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.