Re: Small network with a single real IP
On Tue, Nov 07, 2000 at 04:25:54PM +0100, Julien Stern wrote:
> Should I set up two internal private subnets (one for the ftp/www),
> and one for the other computers? What kind of communication should I allow
> between them, in case the www/ftp box gets broken? Is that the way to go?
it's the most secure situation
> Also, is it reasonnable to forward ssh2 to an internal box?
> Currently, when I'm outside, I log on my firewall, and then inside.
> Is one alternative safer than the other and for what reason?
it's safer. I mean it's safer to allow access to every host from outside
via ssh (ftp, www no in second subnet). It's cause you give no more
than single host root password in oposiotion to access to whole net
when you logging to every host via firewall.
For truth I think that you should shut ssh on firewall
and allow connection between outside world and ftp,www servers
via it only.
> Finally, should I upgrade to 2.4 to use iptables or is what I'm willing
> to do going to be just fine with ipchains and ipmasqadm?
not now yet. may be in next months. I don't think 2.4 is stable and secure yet
enough to use it on firewalls.
may be I'm wrong.
sorry for my english. :-(