Hello, I am looking to deploy Nethserver as an e-mail server with subscription for updates.
The server only has one interface that will be publicly routeable. I guess it would be both red and green interface? What would be the best way to deploy from a security perspective? It’s probably not a good idea to have port 9090 or 980 facing the internet…
Thank you Andy. This is helpful. Seems like a possibility, before I try what you suggested, what about this, add a second interface, publicly routable but behind a firewall to the internet:
2.2.2.2 - red interface - open to the internet for mail ports
2.2.2.20 - green interface - behind a firewall - for management interface
They might share the same subnet. In this case, the answer i no.
In any case, via Cockpit you can limit the pubblic ip addresses which can access to 9090 port.
Hello Pike, I believe I tried this, there is no way to limit Cockpit on Nethserver from the webinterface. I don’t recall the details, it was over a month ago.
Pike, indeed I was wrong, you can. I think what I was trying to do is at the firewall level limit access to Cockpit to a subnet, which was not possible, something to do with systemd/green interface.
Nonetheless I like the idea or red/green, it’s just I’m limited to the setup of the network of my environment and I have to play within the rules.
Further to article that Andy was suggesting, this installation would be on a self hosted hypervisor, our network uses publicly routeable addresses.
How about this:
2.2.2.2/255.255.255.0 - red interface - open to the internet for mail ports
2.2.22.20/255.255.255.0 - green interface - behind a firewall - for management interface
I don’t believe it should matter if both are on the same VLAN…?
I don’t suggest to put the interfaces on the same vLAN but it might work.
Also, you can limit the access to Cockpit from selected IP after the complete setup.
This works and is the best way. The green network is behind the nethserver firewall and the red is reachable from internet. But like @pike wrote I would also use a vlan. I think without it could be a security risk.
I’d strongly suggest to use a “public” IP as RED, but use a “private” network for GREEN.
IE:
RED = 2.2.2.2/24
GREEN = 192.168.2.1/24
Note:
Even if using a “private”, non Internet routable IP address, any server you want on that network can still be reachable from the Internet. This is where NAT / Port Forwarding comes in.