John Clarke wrote: > Shawn wrote: > >> I have a situation where some separate domains/servers will be moved to >> a location that is behind a single firewall (and IP). We want to keep >> each of the boxes functioning as usual, so realize we'll need a gateway >> box of some sort. >> >> For websites, we can do VHosts with ProxyPass/ProxyPassReverse. And for >> email we can setup Postfix/qmail/etc to behave as a gateway to the >> internal device. But is there a better way to accomplish this? And >> what about Pop3, IMAP, FTP, etc? >> >> Is there a decent way to put in a gateway server to handle all of this? >> Or are we limited to handling it on a package by package basis? >> >> To highlight the problems, imagine the following: >> >> domainA - requires web, smtp, POP3, and resides on it's own server >> domainB - requires web, smtp, IMAP, and FTP. resides on it's own server. >> domainC - requires FTP only, resides on it's own server. >> domainD - requires smtp, POP3, IMAP, resides on it's own server >> >> In all cases, SSH access is required. >> >> So, is there a gateway service for SSH, POP3, IMAP, and FTP? The >> services would need to be forwarded to the appropriate box, but how do >> you know which box is the right destination when all you have is the >> port number? >> >> From a firewall perspective, I can see using different ports, but that >> will only work in a few cases. >> >> I think I'm missing a simpler solution somewhere, so thought I'd check >> with our experts.. :) >> >> Thanks for any tips. >> >> Shawn >> >> (ps - I know I can *make* it work, but would prefer to keep the >> maintenance as low as possible) >> > > Hi Shawn, > > I'm no network/security/firewall expert, but provided domains A-D have > distinct ip addresses: with nat/port forwarding enabled on the gateway, > incoming requests can be redirected to a ipaddress+port inside the firewall. > > So in your case, for the 4 domains you would add a total of 3+4+1+3 > redirect rules to your packet filter or iptables config. > > My 0.02 $. I have done this in openbsd, to redirect http requests. But > although it is easy to do, what security nightmare it may pose I'm not > sure. > > Are there any security experts who might care to comment? > > John > > >> _______________________________________________ >> clug-talk mailing list >> [email protected] >> http://clug.ca/mailman/listinfo/clug-talk_clug.ca >> Mailing List Guidelines (http://clug.ca/ml_guidelines.php) >> **Please remove these lines when replying >> >> . >> >> > > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying > > My $2 Pesos: I have not done firewall/security in a while(a very long while); but like John said you just need some good forwarding rules. If I'm not mistaken NETFILER (IPTABLES, et al) is the perfect tool to do just that. Have a look at the HOWTO for both NETFILER/IPTABLES and Advanced routing. These tools are GPL'd so they can be deployed in either GNU/LINUX or FreeBSD... Again, have a look at these two tools. I am almost certain that getting it to work the way you want will be trivial...
http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html http://lartc.org/ (Linux Advanced Routing & Traffic Control) http://tldp.org/HOWTO/Firewall-HOWTO.html (Firewall/Proxy) -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= ----------------------Juan Alberto Cirez--------------------- ------------------Phone: +1(780)742-8860--------------------- [EMAIL PROTECTED] =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Wide and Open Northern Alberta, Canada. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
