On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes incoming > > SMTP traffic from outside the firewall. The below rules are not > > working. The firewall refuses connections. Any input on what wrong? > > If a remote exploit is found in the MTA running on your internal host (as > has just occured with sendmail again), an attacker may be able to launch a > direct attack on this box. Depending on your overall security structure > they may then be able to attack any number of hosts behind your firewall. > > Some of the alteratives aren't much better. Running an MTA on your > firewall is just as bad as a remote exploit here may allow an attack > access to the root on the firewall, allowing the firewall to be > circumvented again. > > If you have more than 1 static address, an MTA running in a DMZ is > definately better. This way you could still have your internal MTA being > port forwarded by restrict access through the firewall by source address, > such that only your MTA in the DMZ can access the port redirect. If you > can restrict access by way of network interface on the firewall[1] then > you're much much better off again as this protects against a spoof. I don't quite follow this... Surely if one can break into the port-forwarded MTA, one can break into DMZ's MTA, which would then allow the attacker to access the port-forwarding anyway? -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
Attachment:
pgpmqrSmRbN4i.pgp
Description: PGP signature