I colocate four servers in two DCs all running FreeBSD with PF. My main host is running a jail that hosts a bHyve VM
With four jails, each running their own bHyve VMs they run another FreeBSD OS allowing me to host jails for different services. Email, web and game servers.
I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly. So I use bridges, I have two bridges an outer and inner.
Services requiring outbound internet access are tapped to the outer bridge which are throttled and if required can then load balance between and the inner bridge which is under control of deny all, allow some. To my own set of home IPs.
The outer bridge cannot contact services in the inner but the inner can contact the outer but can only host internally.
This all done with PF within each jail as each jail provides you with its own vnet adapter which can be applied to a bridge.
If you wish to learn further that is what you work up too But for the personal user who wishes self-host and to have internet presence a firewall is just fine.
This is very interesting! Have you considered writing a blog post explaining that kind of setup? I would love that! In the meantime, thanks a lot for the insights, that's a good starting point!
> I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly.
Could you elaborate on that? Specifically in my case I would have a perimeter router to which I would connect both my server and the inner router. My LAN would stay behind the inner router, so my understanding is that it still strictly has the same security as when my inner router was connected to the ISP; I just add a layer with the perimeter router.
Then the perimeter router opens the server (probably just chosen ports) to the public Internet, so that the server is reachable.
Wouldn't that mean that my host is protected correctly?
With four jails, each running their own bHyve VMs they run another FreeBSD OS allowing me to host jails for different services. Email, web and game servers.
I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly. So I use bridges, I have two bridges an outer and inner.
Services requiring outbound internet access are tapped to the outer bridge which are throttled and if required can then load balance between and the inner bridge which is under control of deny all, allow some. To my own set of home IPs.
The outer bridge cannot contact services in the inner but the inner can contact the outer but can only host internally.
This all done with PF within each jail as each jail provides you with its own vnet adapter which can be applied to a bridge.
If you wish to learn further that is what you work up too But for the personal user who wishes self-host and to have internet presence a firewall is just fine.