-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 1 Jun 1999, Ola Theander wrote:
> Date: Tue, 1 Jun 1999 22:33:30 +0200
> From: Ola Theander <[EMAIL PROTECTED]>
> To: 'David Lang' <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: RE: Is this firewall config possible using Linux kernel 2.2.x?
>
> Hi David.
>
> Thanks for your answer.
>
> > 4. make sure you are running a properly configured up-to-date
> > sendmail on
> > the firewall (or if you prefer one of the alternates, put it here.
> > for the internal web servers
>
> I don't need SendMail. I want to use the mailserver that's behind the
> firewall.
>
You have to have some mail program to pass the mail through the firewall,
or you are connecting directly to your internal machine. If you are
connecting directly to your internal machine, then you MUST run NAT and
CANNOT use the plug proxy. The reason for this is that the plug hids the
originating IP from your mail server and your mail server REQUIRES this
information to prevent spam relays.
what mail server are you planning to use?
> > 1. alias the external addresses to the firewall
> >
> > 2. use ipfwadm/ipchains to redirect the traffic headed to
> > that address to
> > another port number (transparent proxy option)
>
> Well, I would prefer not to have a proxy involved, if possible. I want a
> pure filtering firewall.
>
> > 3. run plug-gw fromthe TIS fwth on that port directing it to
> > the internal
> > web server
>
> What is plug-gw?
>
it is one of the proxys available as part of the firewall toolkit. the
fwtk was written as part of a govenment grant to produce a basic set of
firewall tools. TIS maintained it for many years, and they were recently
purchased by nai. I think you can find it by going to www.tis.com and
searching for toolkit. The mail proxy is now out of date (it does not
include anti-spam capabilities) but everything else is still very useable.
> > note: the new NAT options that are being developed can
> > probably do this
> > better, but I have not used them, I have done this and it does work
> > reliably
> > for the internal machines
> >
> > the easiest way is to just setup masquerading on the firewall
> > and have it
> > set as the gateway for all the machines.
>
> My problem is that I don't really know how to configure both NAT and
> masquerading on the same router. I have some idea about creating an alias
> for the external NIC, e.g. eth1:1 on which I do the masquerading and do NAT
> for the server on eth1, but I haved tried this yet.
>
If you are not wanting proxys then your only option is the NAT code. As
far as I know the NAT code is an add-on, not a built-in part of the
ipfwadm or ipchains code.
> > the more complicated way (although more secure) is to generate a real
> > security policy that states what protocols are allowed to be
> > used, setup
> > proxies for them on the firewall, and disallow all other traffic.
> >
>
> I figure you mean that I should configure a tranparent proxy for each kind
> of service (port) that I want open. Can this proxy solution handle requests
> from the Internet to servers behind the firewall?
>
> Kind regards, Ola Theander
>
if you setup a proxy based firewall, what actually will happen is that all
of your users will talk to the firewall, the firewall will then talk to
the outside world. This has the advantage that the proxy on the firewall
_may_ understand the protocol that is going through it and can block stuff
that does not match that protocol. It can also handle ill-behaved stuff
like FTP. for this type of protection you end up running many different
types of firewalls. I would reccoment getting the book Building internet
firewalls by brent chapman as it gives a good explination of the various
options.
David Lang
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN1RF6D7msCGEppcbAQHJ0Qf/fGypAChqCe/bXQ2r1PK/ZtXaOJhLNmev
uCcCk/cRIu1t+s9egfik/VCRDrZ1vUOZQZvjCqu/WDWIIQKLSB2BCod3l94E+u8Q
jSGDb6zt8WCNSES2VcjNlSRBINjjAKDplC+TTiHj6pgjmBVdZTY4PabDCGudROX0
Zh5EO6CoX5thhk8DUMMHaZCcRXDrO2c+xhZ8aRHhLvvZPH+2P66Xk7n8v7jHhwqn
gbitxoucXOohhDxCzV5KwHEFoQRMOapa8qJk5eO0cG5OuFK2xb3mERG5fXLRKrxj
kVb+c0ytU1W54MtjJakRxHXLFyzypPF8zcknvu98DAdOYeQyX/6OQQ==
=yGie
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
