hi ya gazillion different solutions for "secure topologies" that depends on time, $$$$ and machines available, skillset and what you're protecting against
c ya alvin -- you need backups ... :-) -- disallow insecure services even behind the firewall ( telnet, ftp, pop3/imap, dhcp, wireless use ssh, scp, pop3s/imaps, static ip, gw+fw instead -- use different login for different services - email addy should NOT be your ssh login's - vpn login should be different ( you.vpn ) - ppp login should be different ( you.ppp ) - wireless login should be diff ( you.wireless ) -- use multiple firewalls - use a secured/hardened/well designed "firewall" - harden all servers and services as if the firewall did NOT exist - one dmz ... www, mail, dns, ntp server, other external services ( probably natting fw ) - 2nd dmz ... vpn, ssh login server ?? - 3rd dmz ... wireless - 4th dmz ... local lan - 4th dmz ... hr/payroll/acct payable/acct receivable - if you're using only one firewall .. - gt a 386PC and make a 2nd firewalll for internal machines separated from outside www/dns/mail -- too much firewall and gateway ??? donno ... ( depends on cleints paranoia level and what is the consequences ( WHEN a [cr/h]acker gets thru On Sat, 22 Mar 2003, Hanasaki JiJi wrote: > Would you share your opinions on the following setup for daemons? > > firewall runs > whois server - gwhois or jwhois? > > iptables - firewall > > forwards-to/NAT-from internal smtp server > <what iptables rules will accomplish this> > > NAT outgoing DNS for internal bind9 server > > bind9 - for external dns > <no connection between these two servers> > > NAT from internal SQUID server to internet > > ntp - time server for internal > <safe to run this on the firewall?> > > > host(s) inside the firewall > smtp server - exim4 > dhcp3-server for internal > bind9 - for internal dns > squid - http proxy > webserver - apache for internal and external > domain.com > internal.domain.com > <both on same server> > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >