Re: Small network with a single real IP

To: Julien Stern <stern@lri.fr>
Subject: Re: Small network with a single real IP
From: Artur Gorniak <josh@diament.ists.pwr.wroc.pl>
Date: Tue, 7 Nov 2000 18:00:49 +0100
Message-id: <[🔎] 20001107180049.K27246@diament.ists.pwr.wroc.pl>
In-reply-to: <[🔎] 20001107162554.A23317@lri.fr>; from stern@lri.fr on Tue, Nov 07, 2000 at 04:25:54PM +0100
References: <[🔎] 20001107162554.A23317@lri.fr>

On Tue, Nov 07, 2000 at 04:25:54PM +0100, Julien Stern wrote:
> Should I set up two internal private subnets (one for the ftp/www),
> and one for the other computers? What kind of communication should I allow
> between them, in case the www/ftp box gets broken? Is that the way to go?
yes
it's the most secure situation

> Also, is it reasonnable to forward ssh2 to an internal box?
> Currently, when I'm outside, I log on my firewall, and then inside.
> Is one alternative safer than the other and for what reason?
yes.
it's safer. I mean it's safer to allow access to every host from outside
via ssh (ftp, www no in second subnet). It's cause you give no more
than single host root password in oposiotion to access to whole net
when you logging to every host via firewall.

For truth I think that you should shut ssh on firewall
and allow connection between outside world and ftp,www servers
via it only.

> Finally, should I upgrade to 2.4 to use iptables or is what I'm willing
> to do going to be just fine with ipchains and ipmasqadm?
not now yet. may be in next months. I don't think 2.4 is stable and secure yet
enough to use it on firewalls.
may be I'm wrong.

sorry for my english. :-(

Artur Górniak

Reply to:

References:
- Small network with a single real IP
  - From: Julien Stern <stern@lri.fr>

Prev by Date: Re: Small network with a single real IP
Next by Date: ipchains question
Previous by thread: Small network with a single real IP
Next by thread: Re: Small network with a single real IP
Index(es):
- Date
- Thread