Re: DMZ
are you sure ? i looked for two hours what is DMZ. I searched linuxdoc.org and google in linux doc i entered each firewall howto and searched the index for DMZ and couldnt find a chapter speaking of DMZ. But now i know that DMZ is just a word that describe a low security leg, and its not some special service or special configuration like vpn, proxie through google i found few explanation that describe that its a segment that is outside the firewall so i couldnt understand why its related to firewall. Now i know better, one of ethernet cards configured for low security so the Q was in its place. - Original Message - From: e-tie [EMAIL PROTECTED] To: Linux [EMAIL PROTECTED] Sent: Thursday, September 12, 2002 9:54 PM Subject: RE: DMZ Please dont get me wrong, when you are stuck help is needed, but come on, DMZ? i mean there are so many docs out there on DMZ. As i see it, first see if you can find it and learn it yourself, then approach the comunity! Oh and btw i'm out of a job too, and i dont even know l/unix that good. security on the other hand thats another issue:) On Thu, Sep 12, 2002 at 08:48:35PM +0200, e-tie wrote: Have we forgot the lost art of RTFMing? [snip] On security discussions...got a spare 5 years? You couldn't be more right. The art of mailing list is slowly dying. people who spend 5 and more years investigating unix want to get payed and are sick and tired of not finding a job because a potential employer could just send a question to the mailing list and get the answer he *should* pay for. On the other hand, what happens when you get stuck? Guy Yes, I too am looking for jobs... -- Unix Administration, | http://www.unixadmin.co.il locally and remotely. | [EMAIL PROTECTED] Planning, installation,| Phone: 972-3-6201373 support upgrades.| Location: Unrestricted = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
On Fri, Sep 13, 2002 at 12:05:33AM +0300, Guy Cohen wrote: ObLinux: how do I share easily an entire machine's hard disk with other machines? NFS sharing / led to all sorts of nastiness. Pointers to FMs welcome. cluster is a way. Err, I happen to know a thing or two about clusters, and I'm not sure what you mean here. Could you elaborate? -- Muli Ben-Yehuda syscalltrack hacker-at-large msg21786/pgp0.pgp Description: PGP signature
Re: DMZ
Hi, On Fri, Sep 13, 2002 at 10:05:58AM +0300, Muli Ben-Yehuda wrote: On Fri, Sep 13, 2002 at 12:25:25AM +0300, Yedidyah Bar-David wrote: I think the main difference is that ML answers are given late at night, with late-at-night moods (and tiredness), for better or worse :-). I disagree. I often do email at the early hours of the morning :) But you're certainly right that a mailing list answer carries with it no explicit[1] responsibility and no warranty, unlike something you paid for. [1] explicit, unlike implicit. I *hate* being wrong in public, and therefore will usually check my facts three times before posting. Usually. I of course agree. I also intended to mean they are less formal, have higher tendency to go to non-strictly-relevant directions, etc., as long as the author thinks there are enough people on the list that will enjoy reading (I personally think that many Israeli Linux users (the audience here) tends to have similar interests even off-topic, such as where to buy good, cheap hardware, that noone ever found inappropriate here even though off-topic). ObLinux: how do I share easily an entire machine's hard disk with other machines? NFS sharing / led to all sorts of nastiness. Pointers to FMs welcome. Can you give more details? What is the exact need? For example, I run some machines with nfsroot, so exporting their *physical* disk is trivial. Do you refer to a physical disk, all the local partitions, all mounted FSs (including /proc, nfs)? Ok, setup: one small LAN, one server (fwall + outside services), one development machine and two test machines. Test machines should be running differnt distributions from time to time, so a shared nfs root is not a good option. Ideally, the development machine's '/' and all regular file systems mounted on it should be nfs mounted (or otherwise accesible) on the test machines. Not as their /? Simply accesible? Assuming you exported with the options you need (probably (rw,no_root_squash)), I see no problem with that. Having them mount it rootnfs is more problematic, of course. What problems did NFS exporting / cause? it was a combination of NFS exporting / and trying to access things as root, I suppose. Missing directories, inaccessible files, strange errors from programs that deal with the file system (mv, cp, etc). Again, this sounds like missing no_root_squash. Did you try the usermode nfs server? (from ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir. Not maintained for a long time, but still might be useful). How might it be useful? The big difference is that exporting (and mounting) / will take with it all mounted FSs, unlike the kernel server which exports a single FS at a time. The other difference is lower performance. Did mount --bind somewhere and NFS exporting it didn't work either? Note I didn't try this myself, but writing this answer makes me want to try (for diskless machines' server - I currently do not share its /). I am not aware of mount --bind. I'll RTFM. Thanks, Muli. -- Muli Ben-Yehuda syscalltrack hacker-at-large Didi = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
what exactly is DMZ ? If it is an area between the Internet and the Firewall then its not under protection of the firewall. If so what the firewall manage here ? Say you want to make a tight security policy in your firewall: dont let *anything* enter to the windows network but lets some services in, because you have a web, mail, ssh, ftp, etc servers. you configure 2 networks, prefrebly connect them to 2 different interfaces on the firewall. The windows network is totaly secured and is your private LAN. the other network, the one with the open servers, is secured with the firewall but is open to some services. this is your DMZ. -- Unix Administration, | http://www.unixadmin.co.il locally and remotely. | [EMAIL PROTECTED] Planning, installation,| Phone: 972-3-6201373 support upgrades.| Location: Unrestricted = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
Ben-Nes Michael [EMAIL PROTECTED] writes: Hi All Small confusion. what exactly is DMZ ? If it is an area between the Internet and the Firewall then its not under protection of the firewall. If so what the firewall manage here ? To put it simply, if not comprehensively, it is the area that is accessible from outside your organization. E.g. you may want to let outsiders to access your web and ftp servers, but not the rest of your LAN, for which, e.g., you will disallow any connection whatsoever that originates from outside. This means that the DMZ will be a different network, and firewall rules will be different for the publicly accessible servers. This does not mean that they are not protected by a firewall. Whether or not there is an additional firewall between the DMZ and the LAN depends on the situation. generally, your LAN will have an additional line of defence compared to the DMZ. The above is not a comprehensive description, but does it resolve the confusion? -- Oleg Goldshmidt | [EMAIL PROTECTED] = ... Of theoretical physics and programming, programming embodied the greater intellectual challenge. [E.W.Dijkstra, 1930 - 2002.] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
Ben-Nes Michael wrote: Hi All Small confusion. what exactly is DMZ ? De-Militarized Zone. A typical topology is a 3-legs firewall, one goes to the Internet/FR- router/ADSL/whatever, the second to a hub with all the client computers (WIN machines etc.) connected to, and the third goes to a hub with the servers connected to (DMZ). If it is an area between the Internet and the Firewall then its not under protection of the firewall. It's not a direct translation of the term De-Militarized Zone, and it isn't BETWEEN anything. It's usually a separate subnet, with weaker security. While computers from subnet(s) with the clients cannot be accessed from the Internet (but only initiate sessions, and be answered), computers from the DMZ can be also accessed (so they can be used for DNS, e-mail, web-serving, etc.). If so what the firewall manage here ? A lot. For example, the firewall inspects the incoming packets, and doesn't let spoofing packets in. Also, it doesn't let packets with illegal destination (such as 127.0.0.1 or broadcast) in. It may block floods, SYN attacks, etc. If you know (for example) that one computer serves HTTP, while a second one serves e-mail, you may allow only packets with DPORT=80 to the 1st and DPORT=25 to the second. You may even DNAT the computers in the DMZ. If this is the case, you would also want to masquerade them even when they access each other, because when they use addresses as known by external machines, they will reach the firewall, and without masquerading the response will not reach anything. Another interesting thing that you may do is having only one IP for anything, but directing the packets according to the requested service (i.e. one computer will serve HTTP, another one e-mail, etc., all of them with the same IP). -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
On Thu, 2002-09-12 at 20:29, Ben-Nes Michael wrote: Hi All Small confusion. what exactly is DMZ ? If it is an area between the Internet and the Firewall then its not under protection of the firewall. If so what the firewall manage here ? The art of security is all about risk hedging and in this case - paritioning the area you protected to seperate permiteres, each with it's own security 'level' and risk. A firewall exists to enforce this seperation in the network level. Many strangers needs to come to drop of packages in a building entrance front desk, just as many stranger need to establish SMTP connection with your mail server. But only a very few specific people need to pass into the offices area of the upper flooor, just like only very few and specific people need to establish TCP connections with your internal network. Someone who is allowed or even unlawfully able to gain entrance to the first floor front desk should not be able to 'escalate' this access to the higher floors offices. Someone who have access to the company mail server (because he sends email to someone in the company) or someone who was able to gain root by using a buffer overflow on the mail server should not be able to pass into the inner network sterile zone where the source code and money records are kept. There are security means and checks (guards, cameras, locks) both in the entrance to the front desk on the first floor and to the upper floors offices, but the rules by which they decide who can pass and who doesn't are different. Likewise the firewall keeps tabs on traffic going in and out the DMZ and the internal network (and between!) but uses different rules to decide who may go where. The area in which the mail and web server (for example) exists must have more permissive rules in order for them to function, but that means that the network area in which these server exists is at a higher risk and must be isolated from the rest of the netwrok, hence the DMZ. Building Internet Firewalls is a great book recomended to people interested on the subject: http://www.greatcircle.com/firewalls-book/ Shamelss plug And if anyone needs help in setting up a secure enviorment, I know a couple of pros that would be glad to help for a modest fee... :-) /Shameless plug Gilad. -- Gilad Ben-Yossef [EMAIL PROTECTED] http://benyossef.com We don't need kernel hackers or geniuses, we need good developers who will do what they're told. Famous last words, the collection. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: DMZ
Have we forgot the lost art of RTFMing? On the original subject, go read: http://www.tldp.org/HOWTO/Firewall-HOWTO-3.html On security discussions...got a spare 5 years? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
On Thu, Sep 12, 2002 at 08:48:35PM +0200, e-tie wrote: Have we forgot the lost art of RTFMing? [snip] On security discussions...got a spare 5 years? You couldn't be more right. The art of mailing list is slowly dying. people who spend 5 and more years investigating unix want to get payed and are sick and tired of not finding a job because a potential employer could just send a question to the mailing list and get the answer he *should* pay for. On the other hand, what happens when you get stuck? Guy Yes, I too am looking for jobs... -- Unix Administration, | http://www.unixadmin.co.il locally and remotely. | [EMAIL PROTECTED] Planning, installation,| Phone: 972-3-6201373 support upgrades.| Location: Unrestricted = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: DMZ
Please dont get me wrong, when you are stuck help is needed, but come on, DMZ? i mean there are so many docs out there on DMZ. As i see it, first see if you can find it and learn it yourself, then approach the comunity! Oh and btw i'm out of a job too, and i dont even know l/unix that good. security on the other hand thats another issue:) On Thu, Sep 12, 2002 at 08:48:35PM +0200, e-tie wrote: Have we forgot the lost art of RTFMing? [snip] On security discussions...got a spare 5 years? You couldn't be more right. The art of mailing list is slowly dying. people who spend 5 and more years investigating unix want to get payed and are sick and tired of not finding a job because a potential employer could just send a question to the mailing list and get the answer he *should* pay for. On the other hand, what happens when you get stuck? Guy Yes, I too am looking for jobs... -- Unix Administration, | http://www.unixadmin.co.il locally and remotely. | [EMAIL PROTECTED] Planning, installation,| Phone: 972-3-6201373 support upgrades.| Location: Unrestricted = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
On Thu, Sep 12, 2002 at 09:27:18PM +0300, Guy Cohen wrote: On Thu, Sep 12, 2002 at 08:48:35PM +0200, e-tie wrote: Have we forgot the lost art of RTFMing? [snip] On security discussions...got a spare 5 years? You couldn't be more right. The art of mailing list is slowly dying. people who spend 5 and more years investigating unix want to get payed and are sick and tired of not finding a job because a potential employer could just send a question to the mailing list and get the answer he *should* pay for. I'll say it gently: the service a consultant provides should not be equivalent to an answer on a mailing list. If it is, said consultant is doing it wrong... ObLinux: how do I share easily an entire machine's hard disk with other machines? NFS sharing / led to all sorts of nastiness. Pointers to FMs welcome. -- Muli Ben-Yehuda syscalltrack hacker-at-large msg21770/pgp0.pgp Description: PGP signature
Re: DMZ
Quoth Muli Ben-Yehuda: ObLinux: how do I share easily an entire machine's hard disk with other machines? NFS sharing / led to all sorts of nastiness. Pointers to FMs welcome. DON'T even dare thinking of a shared scsi bus! -- ---OFCNL This is MY list. This list belongs to ME! I will flame anyone I want. Official Flamer/Cabal NON-Leader [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
On Thu, Sep 12, 2002 at 11:13:09PM +0300, Muli Ben-Yehuda wrote: I'll say it gently: the service a consultant provides should not be equivalent to an answer on a mailing list. If it is, said consultant is doing it wrong... Of course there's no substitute to real professional who's doing a good job. However, often times a solution to a problem is so simple that you could just ask the mailing list and not spend the extra 30$ to call your favorite problem solver. As one of those guys who's providing a service I can't help but wonder if the time of the mailing lists should not have passed (or at list decreased) from the internet world at the time the bubble exploded and we're all got left with no jobs or jobs who pay nickel and dime. ObLinux: how do I share easily an entire machine's hard disk with other machines? NFS sharing / led to all sorts of nastiness. Pointers to FMs welcome. cluster is a way. -- Unix Administration, | http://www.unixadmin.co.il locally and remotely. | [EMAIL PROTECTED] Planning, installation,| Phone: 972-3-6201373 support upgrades.| Location: Unrestricted = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
On Thu, Sep 12, 2002 at 11:13:09PM +0300, Muli Ben-Yehuda wrote: On Thu, Sep 12, 2002 at 09:27:18PM +0300, Guy Cohen wrote: On Thu, Sep 12, 2002 at 08:48:35PM +0200, e-tie wrote: Have we forgot the lost art of RTFMing? [snip] On security discussions...got a spare 5 years? You couldn't be more right. The art of mailing list is slowly dying. people who spend 5 and more years investigating unix want to get payed and are sick and tired of not finding a job because a potential employer could just send a question to the mailing list and get the answer he *should* pay for. I'll say it gently: the service a consultant provides should not be equivalent to an answer on a mailing list. If it is, said consultant is doing it wrong... I think the main difference is that ML answers are given late at night, with late-at-night moods (and tiredness), for better or worse :-). ObLinux: how do I share easily an entire machine's hard disk with other machines? NFS sharing / led to all sorts of nastiness. Pointers to FMs welcome. Can you give more details? What is the exact need? For example, I run some machines with nfsroot, so exporting their *physical* disk is trivial. Do you refer to a physical disk, all the local partitions, all mounted FSs (including /proc, nfs)? What problems did NFS exporting / cause? Did you try the usermode nfs server? (from ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir. Not maintained for a long time, but still might be useful). Did mount --bind somewhere and NFS exporting it didn't work either? Note I didn't try this myself, but writing this answer makes me want to try (for diskless machines' server - I currently do not share its /). -- Muli Ben-Yehuda syscalltrack hacker-at-large Didi = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
Muli Ben-Yehuda [EMAIL PROTECTED] writes: I'll say it gently: the service a consultant provides should not be equivalent to an answer on a mailing list. If it is, said consultant is doing it wrong... No. The customer is doing it wrong... -- Oleg Goldshmidt | [EMAIL PROTECTED] = ... Of theoretical physics and programming, programming embodied the greater intellectual challenge. [E.W.Dijkstra, 1930 - 2002.] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
Official Flamer/Cabal NON-Leader [EMAIL PROTECTED] writes: DON'T even dare thinking of a shared scsi bus! Out of curiousity: why shouldn't I think about it? -- Oleg Goldshmidt | [EMAIL PROTECTED] = ... Of theoretical physics and programming, programming embodied the greater intellectual challenge. [E.W.Dijkstra, 1930 - 2002.] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
Quoth Oleg Goldshmidt: Official Flamer/Cabal NON-Leader [EMAIL PROTECTED] writes: DON'T even dare thinking of a shared scsi bus! Out of curiousity: why shouldn't I think about it? If you are not yet old, you will become VERY old by playing with shared scsi busses. I did this quite a bit, in QBI and in Comverse. It was very trying and cost me a few years of my life. It can be done. It is just sensitive and difficult. -- ---OFCNL This is MY list. This list belongs to ME! I will flame anyone I want. Official Flamer/Cabal NON-Leader [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: DMZ
On Thu, Sep 12, 2002, Muli Ben-Yehuda wrote about Re: DMZ: On Thu, Sep 12, 2002 at 09:27:18PM +0300, Guy Cohen wrote: You couldn't be more right. The art of mailing list is slowly dying. people who spend 5 and more years investigating unix want to get payed and are sick and tired of not finding a job because a potential employer could just send a question to the mailing list and get the answer he *should* pay for. Are you referring to a specific case when an employer did something like you describe? I have a counter-example: a few months ago a company wanted me to come consult them, because they had a pressing question. I answered the pressing question they had via email (without charge!), but after that they still wanted me to come consult for them! I guess when you need a consultant, you probably don't need one for just one question. I'll say it gently: the service a consultant provides should not be equivalent to an answer on a mailing list. If it is, said consultant is doing it wrong... I'd say the employer was doing something wrong, and the consultant was just taking advance of the situation :) There are several problems with the view that a mailing list can replace a consultant, because it makes several assumptions on what consultants are needed for that usually aren't true: That view is problematic because: 1. It assumes the employer has the time to formulate the question well, send it to a mailing list, and hope that it will be answered well and soon. The time of the employer (I'm thinking about some sort of highly paid manager or researcher or something) time is actually worth something too, so wasting it in order to save consulting time is silly. 2. It assumes that every question gets answered on the mailing list. What if the question isn't interesting enough and never gets answered? The employer still needs an answer to get his work done, and paying money is the only way to make *sure* that something gets done, at least in our existing society. 3. It assumes the employer would know how to formulate the question well, and to which mailing list to send it. Many times this isn't true. 4. It assumes the employer only has, say, one question a month and it is an interesting question. Mailing lists subscribers usually despise posters that smell like they are asking technical directly-work-related I-didn't-bother-to-try-solving-this-myself kind of questions. If the employer has 5 questions a week, and some of them are boring and technical, a mailing list wouldn't be a useful address for these questions. 5. It assumes the questions the employer has can be solved in, say, 10 minutes. Very rarely someone on a mailing list will write a piece of software for you, search the web for you for hours, or otherwise help you in a way that took him hours to do that. If the employer does need some time-consuming research or work done, he will need to pay for it. 6. It assumes the only thing the employer is looking for is an answer. Many times the employer doesn't need an answer, but rather something *done*. He doesn't want to know where to find a document about configuring a DMZ - he wants someone to configure a DMZ for him (see also the time issue earlier). Obviously, a mailing list could not help with that. 7. Most questions an employer might have, have something to do with problems in an existing product. It might take an experienced professional to be able to separate all the product-specific issues from the problem and ask a general question on the mailing list, but worse - many times the employer cannot do such a separation. Since he cannot describe his entire product and the whole situation to the mailing list (boring, and will reveal his trade-secrets!) his only recourse is to have an on-site professional - full-time employee or consultant. Because these assumptions are rarely true (especially not all of them together), consultants and professional full-time employees are still useful, and professional programmers/sysadmins/researchers are still needed in the hightech industry (albeit in lesser numbers than were needed a couple of years ago). An employer uses consultant rather than a full-time employee when the number of problems/questions they have doesn't warrent full-time work, and/or when they cannot get a full-time employee - perhaps because they're looking for help in an issue that is so advanced that only a few people know it and these people already have jobs (this situation was very common until not long ago, and in some areas it is still true). -- Nadav Har'El| Friday, Sep 13 2002, 7 Tishri 5763 [EMAIL PROTECTED] |- Phone: +972-53-245868, ICQ 13349191 |Fame: when your name is in everything but http://nadav.harel.org.il |the phone book
Re: DMZ
On Thu, 12 Sep 2002, Guy Cohen wrote: You couldn't be more right. The art of mailing list is slowly dying. people who spend 5 and more years investigating unix want to get payed and are sick and tired of not finding a job because a potential employer could just send a question to the mailing list and get the answer he *should* pay for. so you are in favor of free software, but not of free support? what about free documentation? and you're one of those who seem to answer people's questions here. tsk tsk ;) -- guy For world domination - press 1, or dial 0, and please hold, for the creator. -- nob o. dy = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
