Opinion on how to set up a firewall



  • I want an opinion on how to set up a firewall to use with application center 2000. I want to keep my web servers separate from my internal workstations and Database. This seams to call for three zones, (external, DMZ and Internal) but application center seems to want two nics on each web server as well as have each nic on a different subnet. this is because one will be load balanced and only be used by web server clients and the other will be used to access resources (database). the problem is that I feel I should not allow the web servers to touch the database without being able to control access. should I add a new zone and control access by the firewall or is there a better or recommended way? will this put excess load on the firewall? Thank you



  • I wanted to add some extra info to clarify the zones we are considering.

    Currently we are experimenting with a pretty 'vanilla' setup with WAN, DMZ, and LAN interfaces.  However, our DMZ contains several webservers which communicate with a SQL DB and also have load balancing and replication provided by 'Application Center'.  Application Center wants each webserver to have two nics (one for the web traffic and one for managing the load balancing, communicating with db, etc), and 'strongly' recommends that each one be on its own subnet.  In order to accomplish this and isolate the database it seems like the best configuration is:

    (External)
    1. WAN: static public ip and several virtual ip's (half class c)

    (Internal)
    2. DMZ: contains multiple load balanced webservers
    3. WEBADMIN: contains the 'admin' nics from each of the load balanced webservers
    4. APPSERVERS: contains database(s) and other servers which don't handle external traffic but should be isolated from the workstations
    5. WORKSTATIONS: workstations, etc

    I was hoping to get some feedback on this setup because it seems like an awful lot of zones.  In particular I was wondering about the following:
    1. My networking experience is limited, but I figure that what I'm trying to do can't be that uncommon.  Is this considered a decent solution or is it unnecessarily complicated?
    2. The webservers handle up to 5mb currently (and that could potentially go up to 10) and are hitting the db constantly.  Can pfsense handle a configuration with this many zones, and what kind of hardware would it require - processer(s), ram, hd, etc?
    3. I'm currently using a Secure Computing Sidewinder G2 firewall, and don't really want to buy another but would like a firewall where I have some redundancy.  With pfsense I figured I could just setup two boxes and if one goes down I just bring the other one up - with the stored config.  Is this a good approach or am I asking for trouble?

    Thanks, and any feedback is appreciated.



  • Not really an awful lot - I've configured that many on pfSense on a home setup :)

    My thoughts:

    1. Define "unnecessary".  It's a good idea from a security perspective, only you can judge whether or not it's worth the (relatively minor) admin overhead.
    2. That kind of question has been asked dozens of times before - a quick trawl of the forums will give you many answers.  I personally don't think 10 Mb will tax any modern hardware (heck, my 1.2 GHz Via box handles that without breaking sweat).
    3. Look in the CARP sub-forum - CARP allows you to set up automatic failover.


  • Thanks for the response, I'll check out carp this evening.

    I had searched before for answers on bandwidth/throughput/hardware, but the responses seemed to be related to traffic shaping.



  • Some are and some aren't traffic shaping related - the trouble is the question keeps coming up and it's not a simple answer.  Pushing 10 Mb/s full size packets is a lot easier than pushing 10 Mb/s minimum size packets.  If you're installing packages (such as snort) you'll require more "grunt" and RAM than if you don't.  Until you have a meaningful understanding of the actual traffic profile it's impossible for anybody to provide guidance.

    I would say that you should consider:

    CPU: > 1 GHz - higher is better :)
    RAM: 512 MB is a good minimum - if you're installing packages then add more
    HD: Well, if you're not wanting packages it'll run happily from CF.  I'm using a 4 GB Microdrive with multiple packages and still have 2.7 GB of the 3.2 GB allocated to / free
    NIC: Intel always gets recommendations

    I suspect you'll find that the network cards matter more than anything else.


Log in to reply