On Wed, Feb 19, 2003 at 09:58:31AM +0000, Dave Rocks wrote:
> My question is how stupid is it to run DNS(tinydns),Mail(qmail) + my home
> firewall/router ( NAT + pf ) on the same machine??
> I always read NEVER run anything extra on your firewall. For my small home
> set-up ( i get maybe 20 emails a day & 50 dns requests ) does it really
> matter that I run dns & mail on my firewall. My pf rules are pretty
> standard, a default deny + allow in UDP on port 53 & TCP on 25.
> I also allow in SSH, WWW but only from my work IP address, so that
> shouldn't affect things & POP but only from internal hosts.
> I'm going to be going wireless on my LAN side soon with the same BSD box
> being my wireless access point (gonna use IPSEC), as long as my pf rules as
> tight should I be o.k? Or am I being dumb & I need to do something like
> stick a DMZ machine in for my dns/mail?
if you can afford an extra box and extra space under the sofa to stow it
under, then this is the way to go. otherwise, you must answer a
question: how sensitive is the information transiting thru your
firewall? what are the estimated costs of it being uncovered/leaked?
what are the impacts to your image if your firewall got cracked?
well, I think you'll have to answer it anyways.
rampant paranoia is never very far. but let me tell you this: if the
information you have is damn precious, no matter what you do to protect
it, it might just rise the skills/money required to get it.
if you are like john nobody, get a drink and happily configure your
firewall with the above-mentioned software using as secure a
configuration as possible and opt for secure options (SSH-tunneled POP
instead of clear POP from outside if ever needed, etc. you get the
picture).
the idea of using IPsec on your wireless lan is good. IMHO, it's the
best option today (WEP is...well...you know and 802.1x has already shown
some cracks). I even met some french so-called consultants that went to
the extent of using SSH-tunneled protocols inside of IPsec using 2048
bits keys etc. hum.
and if that helps, I ran my home firewall for ages with dns, email and
other services (from the internal network). has it got cracked? none
that I know of since I closely monitor my logs on a daily basis and I
run integrity checking software (aide. still using it. but I'm in the
move to samhain though the docs are overwhelming *cough*).
but since last year, I afforded an extra sofa and an extra dmz box 8~).
[1].
cheers.
--
[1] fips, if you come this way again you will never have to hear humming
machines(tm) anymore.
--
Saad Kadhi -- [[EMAIL PROTECTED]] [[EMAIL PROTECTED]]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D]
---
