Re: secure topologies - smtp/dns/whois/....
On Saturday, 2003-03-22 at 12:01:13 -0600, Hanasaki JiJi wrote:
> Would you share your opinions on the following setup for daemons?
> firewall runs
> whois server - gwhois or jwhois?
No services on the firewall. Put that on a machine in the DMZ.
> iptables - firewall
... because it would be no firewall without ;-)
> forwards-to/NAT-from internal smtp server
> <what iptables rules will accomplish this>
-> DMZ
> NAT outgoing DNS for internal bind9 server
NAT all outgoing connections, I'd say. Unless you have non-RFC1918
addresses on the inside. What a luxury!
> bind9 - for external dns
> <no connection between these two servers>
-> DMZ
> NAT from internal SQUID server to internet
NAT all outgoing connections.
> ntp - time server for internal
> <safe to run this on the firewall?>
Client only. Put the NTP server in the DMZ.
> host(s) inside the firewall
> smtp server - exim4
Put a relay in the DMZ. Receive mail through it, forwarded to the
internal mail server. Have the internal mail server relay everything
outgoing through this mail server. As for exim, I have never used it.
> dhcp3-server for internal
This should not matter for the external view or the DMZ.
> bind9 - for internal dns
Jupp. Have the firewall and the DMZ query this server. Have the server
forward-only through the DNS server in the DMZ.
> squid - http proxy
Better located in the DMZ.
> webserver - apache for internal and external
> domain.com
> internal.domain.com
> <both on same server>
Put the web server for external in the DMZ if you value your security.
You can use it for internal as well, but don't have to.
Buy and read "Building Internet Firewalls, 2nd Edition" by Zwicky,
Cooper, Chapman (O'Reilly).
On general principle, don't allow connections from external to internal.
Only external <-> DMZ and DMZ <-> internal.
Don't put any services on the firewall. Have the firewall only
communicate with the DMZ. If you have no official addresses but the one
for the firewall, use port redirection to the DMZ for incoming
connections.
HTH,
Lupe Christoph
PS: If you have never used iptables, and you sound like it, give
fwbuilder a try. Even if you have, it might be useful because it
makes management of the rules easier.
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be |
| unsinkable. The designer had a speech impediment. He said: "I have |
| thith great unthinkable conthept ..." |
Reply to: