-----BEGIN PGP SIGNED MESSAGE-----
What I have done in a similar situation is the following.
for DNS/mail
1. run split DNS on the firewall for the external version, on a machine
inside for the internal version.
2. have the external DNS point mail at the firewall IP address
3. have the internal DNS point mail at your internal mail server
4. make sure you are running a properly configured up-to-date sendmail on
the firewall (or if you prefer one of the alternates, put it here.
for the internal web servers
1. alias the external addresses to the firewall
2. use ipfwadm/ipchains to redirect the traffic headed to that address to
another port number (transparent proxy option)
3. run plug-gw fromthe TIS fwth on that port directing it to the internal
web server
note: the new NAT options that are being developed can probably do this
better, but I have not used them, I have done this and it does work
reliably
for the internal machines
the easiest way is to just setup masquerading on the firewall and have it
set as the gateway for all the machines.
the more complicated way (although more secure) is to generate a real
security policy that states what protocols are allowed to be used, setup
proxies for them on the firewall, and disallow all other traffic.
for the FTP server, there is not clean way to do it, I would reccomend a
hardened machine outside your firewall if you really need to do this.
Feel free to ask for more details if you need them.
David Lang
On Sun, 30 May 1999, Ola Theander wrote:
> Date: Sun, 30 May 1999 19:08:04 +0200
> From: Ola Theander <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Is this firewall config possible using Linux kernel 2.2.x?
>
> Dear subscribers,
>
> I'm trying to configure a firewall using Linux RH 5.2 with a 2.2.9 kernel.
> So far I've mostly done a lot of experimenting, configure the Linux box as a
> router etc, with moderate success.
> My goal is to setup a network with the structure described below and the
> reason for writing this mail is to get a confirmation whether or not this is
> doable with the existing utilities such as ipchains, iproute2 etc.
>
> The desirable network structure:
>
> Internet side FW LAN
> |
> 163.12.13.120 ---------|------- 10.0.0.60 WWW -server
> |
> 163.12.13.119 ---------|------- 10.0.0.59 SMTP -server, DNS-server
> |
> 163.12.13.118 ---------|------- 10.0.0.58 WWW -server 2, FTP -server
> |
> 163.12.13.100 ---------|------- 10.0.0.*** All LAN client machines
> |
>
> In the above scheme there are three servers inside the firewall, with fixed
> class A addresses. These servers have a corresponding fixed external ip
> addresses. I want computers on the Internet to be able to access the
> servers, i.e. the FW is using NAT to translate the traffic.
> In the LAN there also are a number of client machines, which get their ip
> addresses from a dhcp server. I want the traffic from all the client
> machines to be masqueraded through the ip address 163.12.13.100. I also
> would like to be able to restrict the lan clients to only be able to perform
> http traffic.
>
> The traffic on the server addresses I would like to be able to restrict to
> the ports necessary for respective server.
>
> I'm aware that the ftp server can cause some problems due to the
> peculiarities of the ftp protocol, but it's not an absolute requirement to
> have an ftp server.
>
> I'm pretty sure what I want, but I not sure how to do it. The ideal response
> to this mail is a step-by-step list of what to do and an explanation of each
> step.
>
> Hoping for help.
>
> Kind regards, Ola Theander
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN1Qt6j7msCGEppcbAQFgcggAoNubTLg7J181iJ7JXYeFlCvdYxdcSIbl
h3yJ8c8dYkhdEVXjjWiFu5bvOA/TFkI03SobJ7W0OHHvnSvPS4VFR2y4LIjDchSe
uZ9HOkct6bs1rEAwBYkJyvGvxHRVnKQbrRtCcUU6WcjCVcXkbrw2JKy2ZZRB68k8
UAKYqeX4dl/Oqd4f9YjwsZxtTcPJUgJdtFV84bSKFLi64jAm5OaGOAb0riK/JFAu
s9RAn4rFloOn8Uk6PTm0k0DZWpseXtAZwlPOVb3bXRUg/oTYGFY38Fy6x5u9NYbW
kcajSpsZ0qNI9tArDvaZPGtPJa4FI1R3V0L2pgBPN4c78st8sU8zEA==
=iqRZ
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
