This may not necessarily be the safest advice either, Jacob.
Let's say you have a firewall:
.
...with no open ports to the internet, *BUT* you are portforwarding to some internal
webservers and a mail server and the like:
.
25
80
In this situation, the most likely way your network is cracked is through the
webserver or another service. Now the webserver is cracked, and we find ourselves in
a DMZ or some portion of a network:
fw: web (we are here): mail:
22 ssh 80 25
53 domain 110
2049 nfs
Now we have more access to the firewall.
The point of the point:
There aren't likely any services running on the firewall open to the internet, except
perhaps ssh. Therefore, I claim a network is more likely to become cracked through a
forwarded port, behind the (or a) firewall. So the firewall shouldn't trust it's
network anymore than the internet, or more than necessary.
Cory
On Mon, Jul 23, 2001 at 05:48:54PM -0700, Jacob Meuser wrote:
> On Mon, Jul 23, 2001 at 02:03:49PM -0700, Justin Bengtson wrote:
> > debian running iptables. the firewall doesn't need storage. it needs
> to
> > talk to the networked drive so i can play music with it. besides, i
> only
> > filter the outside world, not the internal LAN. i'm sure SAMBA is
> mature
> > enough to know what connections it is allowed to talk on and which not
> to.
> > isn't it?
> >
> But if your f/w gets comprimised, Samba may be an easy route to the
> rest of your network.
>
> It's better to have your f/w trust your network, than to have your
> network trust your f/w, if that is possible with Samba.
>
> In other words, (some of) your internal network should be able to
> connect
> to your firewall, but your firewall should not be able to connect to
> anything on your internal network.
>
> <[EMAIL PROTECTED]>
