Hi Mark, My suggestions: #1 (simple) Internet ----->(nic1)Linux(nic2)---->(internal network with all machines on it) Adjust IPChains to block everything incoming except port 80, and masquerade all outgoing traffic. #2 (more complex) Internet ----->(nic1)Linux(nic2)--+-->(all machines) | +-->Web server Set up IPMasq rules to block everything incoming except port 80, which you forward to your Linux Web server (on the inside). #3 (most complex) Internet | | (nic1) Linux Firewall (nic2) | | +-->Web server | | (nic1) Linux Firewall (nic2) | | (all machines) I ran with solution #1 for almost two years. Once I figured out how to secure it, I had no problems. Except for my web server (which I get free hosting), I still have #1. Until you learn much more about Linux Firewalls, I suggest something like #1 using Freesco or coyotelinux. Of course, this list is a great resource. George Mark Phillips wrote: > > For all the network security gurus out there.... > > I have a network with 5 machines (Windows and Linux) connected to the > Internet. I am currently using a Win 95 as a proxy server (commercial > software - Wingate). I plan to add a Web server (apache, jsp, servlets, > etc.) on one of the Linux boxes. I am new to Linux and learning a lot as I > install, configure and use it! > > My question relates to the network configuration. I have thought of three > options, and would like some opinions.... > > Option 1 > Attach the Linux webserver to my internal network and open a port on the > proxy server to allow access. The down side is that anyone who gains access > to the Linux box will have complete access to my network. Since I am new to > Linux and network security I do not know how secure my Linux box is, nor do > I want to find out after the fact that it wasn't! > > Internet ----->(nic1)Proxy(nic2)---->(internal network with all machines on > it) > > Option 2 > Use the Linux/webserver as a router and put it between my proxy server and > the Internet. This isolates the webserver from my network, so if it is > compromised, then all I loose is what is on that box. I figure restoring the > webserver/Linux box is good practice and a great learning experience....;) I > would add a second NIC to the Linux/webserver box: > > Internet---->(nic1)Linux/webserver/router(nic2)---->(nic1)Proxy(nic2)---->(i > nternal network with all machines on it) > > Option 3 > Use the Linux/webserver as a router again (2 NICs) but put it between the > proxy server and the internal network. This puts the stronger security > device (proxy server, I think) as the front line of defense (some protection > for the web server?). The proxy has not been hacked in over 5 years of > operation, but I have never had a port open to my network before (e.g. I > opened a port to allow people to visit my web server). > > Internet---->(nic1)Proxy(nic2)---->(nic1)Linux/webserver/router(nic2)---->(i > nternal network with all machines on it) > > I am sure there are many other permutations - if there is a better one, > please let me know! > > Thanks! > > Mark Phillips > > P.S. DO I need 2 NICs in the Linux box to act as a router? Is one > sufficient? > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss