Hi friends,
I need to run an Internet facing web server (along with few other services).
Having a separate physical DMZ machine (along with proper port forwarding in the firewall) is seemingly the simple approach. However I was hoping to reduce the number of boxes/wires and possibly having all this securely running off TrueNAS Core.
So my grand plan is this:
1) in my OpnSense firewall configure a DMZ interface (separate subnet incompatible with the LAN)
2) create a new jailed VM and assign it a dedicated DMZ network interface (I can plug additional PCI NIC-card, right), IP address (static or DHCP) linked to the DMZ interface from OpnSense.
3) Install Ubuntu and everything else I need in that new jailed VM
So my naive thinking (If possible at all) is that this web-server will be completely insulated from my LAN. So if bad guys find way to break into my jailed Ubuntu, my LAN would be still safe.
Is this possible ?
I will have to do tons of reading since I don't know how to do it but I would appreaciate your opinion about is this possible ? is this safe ? are there any other concerns I should be aware of ?
If you could point me to the right direction pls.
thanks
I need to run an Internet facing web server (along with few other services).
Having a separate physical DMZ machine (along with proper port forwarding in the firewall) is seemingly the simple approach. However I was hoping to reduce the number of boxes/wires and possibly having all this securely running off TrueNAS Core.
So my grand plan is this:
1) in my OpnSense firewall configure a DMZ interface (separate subnet incompatible with the LAN)
2) create a new jailed VM and assign it a dedicated DMZ network interface (I can plug additional PCI NIC-card, right), IP address (static or DHCP) linked to the DMZ interface from OpnSense.
3) Install Ubuntu and everything else I need in that new jailed VM
So my naive thinking (If possible at all) is that this web-server will be completely insulated from my LAN. So if bad guys find way to break into my jailed Ubuntu, my LAN would be still safe.
Is this possible ?
I will have to do tons of reading since I don't know how to do it but I would appreaciate your opinion about is this possible ? is this safe ? are there any other concerns I should be aware of ?
If you could point me to the right direction pls.
thanks