Hi all,
I am not a security expert, but I have to set up some servers with web services and specific applications that would be open to the web with the help of ZeroMQ via an SSH tunnel, with a double stack IPv4/IPv6, or possibly only IPv6.
The Jail_application is security critical and would serve only a white list from the web.
Questions :
Good and recent links are welcome.
I am not a security expert, but I have to set up some servers with web services and specific applications that would be open to the web with the help of ZeroMQ via an SSH tunnel, with a double stack IPv4/IPv6, or possibly only IPv6.
Code:
WEB -------------- FreeBSD -------------- Jail_server
Host |--------- Jail_www_framework
|--------- Jail_www_database
|--------- Jail_smtp
|--------- Jail_application
The Jail_application is security critical and would serve only a white list from the web.
Questions :
- Is it mandatory to be dual stack IPv4/IPv6? Can I be IPv6 only or would it prevent some customers to use my services?
- Shall I use a virtual interface to isolate the jails from the web with the use of NAT? Or is it equivalent to have the host and the jails on the same IPv6 subnet, thanks to appropriate pf rules?
- Should I put Jail_application on another host or is it alright thanks to appropriate pf rules?
- What else should I consider?
Good and recent links are welcome.