Never put anything on the firewall/masq machine. The idea of that machine
is to protect your network, you want NO open holes. The only possible
exception would be installing SSH if you really need it.
As for the FTP server... a stand-alone host OUTSIDE the firewall is fine.
The machine should be secured properly first though. I recommend using
the ipchains firewall rules in Linux to make it so that the only service
available to people outside of your network is FTP (and ftp-data) - the
only other service you'll want will be ssh (or telnet if you must..).
The problem with tunneling FTP into the network in the way mentioned
earlier is that it completely undoes the duty of the firewall. It's like
having one of the older houses with the mailbox in the front door instead
of out on the curb. Since your using NAT/MASQ you want to keep the
machines on the internal network hidden.
As for the warez usage, firewalls won't stop people from uploading wrong
files - either you have the FTP server correctly or you don't.
Personally, I'm a big fan of having the server itself as secure as
possible rather than relying on a firewall to do it for me.
- Aaron Schultz
- [EMAIL PROTECTED]
------
On Wed, 26 Jul 2000, J Weismann wrote:
> I'll disagree with this for one reason. Firewall-GOOD! outside firewall file
> server-BAD!!! put it on the inside of the firewall and have the user's
> tunnell or loginto the firewall to get access to the files. You leave that
> puppy out there on friday and by monday your bandwith is at 100% usage and
> wondering who setup a Warez FTP server on your file server.
>
> Guard every file like it was your own......
>
>
> >From: Ron DuFresne <[EMAIL PROTECTED]>
> >To: Chris Mason <[EMAIL PROTECTED]>
> >CC: [EMAIL PROTECTED]
> >Subject: Re: Looking for firewall solution advice
> >Date: Wed, 26 Jul 2000 10:31:05 -0500 (CDT)
> >
> >
> >I'd rethink the solution and advice under consideration and put the file
> >server on a totally different box, most likely on the outside of the
> >firewall on the dmz perhaps.
> >
> >Thanks,
> >
> >Ron DuFresne
> >
> >On Wed, 26 Jul 2000, Chris Mason wrote:
> >
> > > I'm advising a company on setting up a network with remote access. The
> > > network will be windows machines with a Linux firewall configured with
> > > PMfirewall. There will be a single IP wavelan internet feed to the
> >firewall
> > > which will be masq'ed for the internal network which will use
> >non-routable
> > > IPs.
> > > The firewall machine will also be a fileserver for accounting data. The
> > > client would like to be able to access the accounting data on the
> >firewall
> > > from outside using her laptop connected to a dial-up account somewhere
> >in
> > > the world. I would like to put in place a VPN solution for her.
> > > Any suggestions?
> > >
> > >
> > > Chris Mason
> > > Box 340, The Valley, Anguilla, British West Indies
> > > Tel: 264 497 5670 Fax: 264 497 8463
> > > USA Fax (561) 382-7771
> > > Take a virtual tour of the island
> > > http://net.ai/ The Anguilla Guide
> > > Find out more about NetConcepts
> > > www.netconcepts.ai
> > > bwz*mq
> > >
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >"Cutting the space budget really restores my faith in humanity. It
> >eliminates dreams, goals, and ideals and lets us get straight to the
> >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> > ***testing, only testing, and damn good at it too!***
> >
> >OK, so you're a Ph.D. Just don't touch anything.
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
