> -----Original Message-----
> From: Scott Peters [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 6 October 2000 5:25 AM
> To: <"Firewalls"
> Cc: Ian Smith
> Subject: Firewalls for Linux versus netopia router
>
>
>
> Hey folks,
>
> We have a linux box which is set up to perform NAT and is
> serving as a firewall for the internal network. (ipchains set
> to deny everything and then a few services are then allowed).
> Sendmail is forwarding incoming mail into the internal net
> to be recieved by our email server. The linux box also has
> FTP enabled (with restrictions such as no creating of
> directories) and a small Apache website which sees VERY
> little traffic.
I don't know how big your network is, or if you consider yourself "high
threat". If you do, however, I have some small problems with this setup.
Linux is not really a secure OS. (yeah, flame away.) Sendmail is not a
secure mail agent - if you're just using it as a relay there are smaller,
"nicer" apps to use. Worse - the FTP server on Linux was still wu-ftpd last
I looked - has this changed? Apache has a pretty good rep, but if you're not
using cgi its probably a bit bloated, too. I like qmail for mail, and the
other DJB tools like publicfile for tread-only HTTP/FTP. Several people I
consider clueful like postfix for mail, so you might want to check that out,
too. Netfilter or IPFilter are probably better firewalling choices for a
free firewall, and I (personally) would use OpenBSD instead of Linux. Not
that you can't secure Linux, but it's harder.
>
> We recently had our network evaluated by several companies.
> one of whom suggests the removal of the linux box. They
> suggest that the netopia router perform NAT.
You already own this netopia router, or this company is proposing to sell it
to you? In the latter case I advise you to make the Sign of Warding Against
Lunatics and leave quickly, making no sudden movements.
> and ftp and Web
> hosting put off site. (Please remember these two services
> are see little traffic.)
>
> If I do pull nat from the linux box, would I not loose the
> ability of sendmail to route incoming emails?
Not neccessarily. Assuming that you can get NAT working on the netopia
without giving in to the temptation to smash it with a mallet, burn the
pieces and sow the ashes into the fields of the Netopia engineers so that
their crops will wither and their race will vanish from the earth, you could
just map port 25 (external) to port 25 on the Linux box - the relaying will
work as normal from there.
>
>
> In the past, My predeccessor, along with a local consulting
> firm, spent several weeks trying to get the netopia router to
> do the NAT but they were unable to get the router to perform
> at an exceptable level of performance.
Yeah, I've never seen a Netopia work well, either.
>
> Is there something that they or I missed?
Undoubtedly. 8)
> Is this so wrong that we have to spend a bunch of time
> reconfiguring it?
I've seen worse.
> all points of view would be appreciated.
>
> Kind regards,
> James Scott Peters
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
