Code:
pf
| (relayd to nginx)
nginx
/\
pf--pf
\ /
web mail dns
|
pf--pf
\ /
db
The outer pf firewall would use relayd to redirect port 80 traffic to the nginx reverse proxy server. Relayd may also redirect ports 25 and 53 to the first dual pf firewalls for smtp and dns traffic where there will be a mail server handling traffic for multiple domains, and a non-authoritative dns server.
The second dual firewalls will be protecting a database used for handling tables for web content.
The databases will use CARP and pfsync and will be loadbalanced.
There will initially be three domains.
Code:
pf
| (relayd to nginx) (smtpd to mail server)
nginx mail
/\
pf--pf
\ /
web dns
|
pf--pf
\ /
db
A third alternative is to eliminate the first set of dual pf/firewalls and only have the outer firewall and the interior pair for the database.
Any recommendations or opinions on the best way to implement this design? Or in what way would you implement this setup for three domains?