.../... Can you advise me what kind of firewall rule should i set? thanks
Say you want to isolate an internal HTTP serveur so that it can be accessed only from internal proxy using HTTP protocol and from few stations for admin purpose, then you can easily plug this server on dedicated interface, define network in eBox and set FW rules so that only prxy is authoriwed to access this network with HTTP protocol. Add another rule authorizing SSH from know admins stations et voila
hmm, why should you want this web server to be accessible via proxy only...? I don't know
because you want to ensure cache at proxy level, or load balancing if your proxy can do this or any other good reason.
That's a very simplified example, maybe meaningless in your environnement. Do you need any DMZ
Another approach could be to host services exposed to external network: by connecting dedicated servers hosting services accessible from internet:
- port forwarding is required to expose such service
- if you forward to server on you internal network, then any weakness on this server could be used by hackers to reach, bouncing on this server, your internal network.
- by isolating this server on dedicated subnet, you never expose your internal network, assuming you control, at FW level, how this server is authorized to communicate with internal network, of course
At this stage, other mechanisms can be used to have internal network a bit more hidden if needed.
To make it short, it's really not mandatory to use ALL interfaces but having more than 2 may help in some specific situation.
Christian