> > > PS: BTW, I was wondering if you could tell me why the extended script explicitly deny > > > forwarding to the DMZ from the Internet (or am I misreading that rule?) > > > > > > Code snippet: > > > > > > if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \ > > > -o "$DMZ_SWITCH" = "yes" \ > > > -o "$DMZ_SWITCH" = "PRIVATE" -o "$DMZ_SWITCH" = "Private" \ > > > -o "$DMZ_SWITCH" = "Private" ]; then > > > > > > $IPCH -A forward -j DENY -p all -s 0/0 -d $DMZ_NET -i $DMZ_IF -l > > > fi > > > > You'll note that this is at the end of the forward rule chain. The purpose > > of this rule is to deny and log any packets that are not explicitly allowed. > > The default forward rule policy of DENY does the same thing, but if you > > don't add the rule above, you can't log the traffic that was denied, so no > > looking at your logs to see if you're being port-scanned... > > Hi Charles! > > Sorry to bug you especially since I'm probably missing something but in the case of a > port-forwarded DMZ using only one IP wouldn't I see that I'm being port scanned by seeing > "input" chain rules in my logs? Yes. With the 'mountain' scripts, port-forwarded DMZ filters are provided by the input chain. Other DMZ flavors (static-NAT, proxy-arp, and routed) are filtered in the forward chain. > How could anyone directly access the DMZ subnet from the Internet > (or does it protect against a scan from "behind" the firewall but from an IP address outside > of the private network subnet???)? I don't think I understand what you're asking enough to answer... > BTW, the reason why I was wondering if somebody could use the hole in the firewall which is opened > when a machine in the internal network accesses the DMZ is that I would like to put a mail server > in the DMZ AND a mail server in the internal network... I would then, each 1-5 minutes fetch all > my mail from the mail server in the DMZ and put it on the mail server in the internal network. There is no 'hole' opened when the internal network accesses the DMZ...the 'hole' is there all the time. The internal network is masqueraded to the DMZ network. This is just like the internal network getting masqueraded to the external interface (and hence the internet in general). The fact that the internal network is allowed to access the DMZ does not impact any of the rules blocking access between the internet and the internal network... > It looks like I may be able to do that using UUCP but since I think UUCP has (quite) a few vulnerabilities > I wasn't sure if it was a good idea to poll the machine in the DMZ at a regular interval since a hacker > (if he/she had taken control of the pc in the DMZ) might more easily determine when and which port is > open and might be able to attack my mail server on the internal network using this "hole". > > Am I just being too paranoid? Probably. The firewall rules do NOT allow systems in the DMZ to open connections with machines on the internal network. Internal systems are at no more risk from the DMZ systems than they are from systems on the internet in general (that's kind of the whole point of a DMZ). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
