View Single Post
  #3   (View Single Post)  
Old 19th November 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I would place the webserver in a DMZ
For the most simple DMZ setup you would need a single box with 3 network cards.

With a proper DMZ pf.conf, a static website, and with all unnecessary services like mail, ftp, ssh disabled, there is not much opportunity for somebody to use your www server for serving malware or attacking others.

If you are really paranoia, you even could use a pf.conf for the server allowing only incoming traffic on tcp port 80, outgoing DNS traffic on tcp & udp port 53 and outgoing ntp (udp port 123).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote