Shawn wrote: > I have a situation where some separate domains/servers will be moved to > a location that is behind a single firewall (and IP). We want to keep > each of the boxes functioning as usual, so realize we'll need a gateway > box of some sort. > > For websites, we can do VHosts with ProxyPass/ProxyPassReverse. And for > email we can setup Postfix/qmail/etc to behave as a gateway to the > internal device. But is there a better way to accomplish this? And > what about Pop3, IMAP, FTP, etc? > > Is there a decent way to put in a gateway server to handle all of this? > Or are we limited to handling it on a package by package basis? > > To highlight the problems, imagine the following: > > domainA - requires web, smtp, POP3, and resides on it's own server > domainB - requires web, smtp, IMAP, and FTP. resides on it's own server. > domainC - requires FTP only, resides on it's own server. > domainD - requires smtp, POP3, IMAP, resides on it's own server > > In all cases, SSH access is required. > > So, is there a gateway service for SSH, POP3, IMAP, and FTP? The > services would need to be forwarded to the appropriate box, but how do > you know which box is the right destination when all you have is the > port number? > > From a firewall perspective, I can see using different ports, but that > will only work in a few cases. > > I think I'm missing a simpler solution somewhere, so thought I'd check > with our experts.. :) > > Thanks for any tips. > > Shawn > > (ps - I know I can *make* it work, but would prefer to keep the > maintenance as low as possible)
Hi Shawn, I'm no network/security/firewall expert, but provided domains A-D have distinct ip addresses: with nat/port forwarding enabled on the gateway, incoming requests can be redirected to a ipaddress+port inside the firewall. So in your case, for the 4 domains you would add a total of 3+4+1+3 redirect rules to your packet filter or iptables config. My 0.02 $. I have done this in openbsd, to redirect http requests. But although it is easy to do, what security nightmare it may pose I'm not sure. Are there any security experts who might care to comment? John > > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying > > . > _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
