Firewall Configuration

Thu, 21 Jan 1999 01:31:30 -0500

Hello,
   I have set up a firewall for our company but I am concerned a little about some possible security issues. My network looks like this
 
 
            [nonscreening router]
                           |
                           |
                [Linux Firewall]
                     |         |
   10.2.20.0/24|         |                  192.168.1.0/24
      ---------------|         |------------------------------------------------------------------------------------------|
      |                                                                                                                   |  
 [Web/Mail server]                                                                                 [Internal machines ( administration and Some clients that need to speak with Web Server)]
 
I have packet filtering on the Linux machine stopping all traffic
I disallow Forwarding by default but because I need the 192.168.1.0/24 machines to speak with the 10.2.20.2 machine I have Allowed Forwarding in the following instances
 
 
From 192.168.1.0/24 to 10.2.20.2 source port 1024-65535 to destination port 55444
From 192.168.1.0/24 to 10.2.20.2 source port 102465535 to destination port 55111
 
Also for mail I have allowed:
 
192.168.1.0/24 to 10.2.20.2 source port 1024:65535 to 25
192.168.1.0/24 to 10.2.20.2 source port 1024:65535 to 110
 
Originally I was running plug-gw ( from TIS fwtk ) to send requests made to the Linux machine on port 80 to the 10.2.20.2 machine. I have since changed to ipportfw which uses Masquerading ( We run a piece of software on the Web server that needs the actual IP address of our visitors...btw that same software talks to our 192.168.1.0/24 clients on ports 55444 and 55111 )
 
I have the same setup for Mail as well
Outgoing I have allowed the NT server to masquerade on port 80 and 25 ( for outgoing mail and http )
 
Yesterday I notices that we had a timeout issue with the client machines on 192.168.1.0/24 apparently because I am forwarding packets between them and 10.2.20.2 an Expiration is giving to the connection of 15 minutes ( I found this by doing ipfwadm -M -l which is strange because I didn't say to masquerade those ) I had to increase the timeout to 24 hours ( as those machines may be logged in for that long with out any traffic over 55111 and 55444 )
 
I have a few questions...
 
#1 Is this an acceptable setup?
#2 What kind, if any , security risks stand out
#3 Will I run into any problems with Masquerading? And does increasing the timeout cause any problems....What would be another way of doing this with as little hardware as possible and more securely
Gary
 

Reply via email to