On Fri, 2008-12-12 at 15:05 +0100, carlopmart wrote: > Sorry for the off-topic but I need some help with a specific > implemantation. I > have two OpenBSD firewalls with 4 interfaces each one: one for internal lan, > one > for sync lan, one for dmz lan and another for Internet access. > > I need to grant access from dmz servers to iscsi storage servers located on > internal lan. Which can be the best form to accomplish this??
Depends on how you define 'best' ;) > a) Connect DMZ servers directly to iscsi servers using another private lan. Simplest approach. Works for some. > b) connect DMZ servers to iscsi server using private lan but using openbsd > firewalls to grant access to iscsi network Do you mean another interface/vlan for iscsi on the same physical OpenBSD firewalls? Wouldn't do it. I'd keep iscsi and all the rest strictly separated. Problem is when your OpenBSD setup is under heavy load or even DOS'ed you may get nasty scsi timeouts on the dmz servers. scsi isn't really tolerant ;) I saw linux servers just freeze because of that. > c) Using a third openbsd firewall (with a snort IDS to control traffic > content) configured as a bridge between DMZ servers and iSCSI servers .. Sounds reasonable. Don't know about the snort part, but you can also use pf on that bridge ... -- Stephan A. Rickauer ----------------------------------------------------------- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 Zurich Web www.ini.uzh.ch
