Re: iptables forwarding to inside firewall

To: List - Debian Security <debian-security@lists.debian.org>
Subject: Re: iptables forwarding to inside firewall
From: Paul Hampson <Paul.Hampson@anu.edu.au>
Date: Mon, 31 Mar 2003 10:24:15 +1000
Message-id: <[🔎] 20030331002415.GA11759@keitarou.bubblesworth.net>
Mail-followup-to: List - Debian Security <debian-security@lists.debian.org>
In-reply-to: <[🔎] Pine.LNX.4.53.0303301707050.16645@blake.timetraveller.org>
References: <[🔎] 3E8501DC.7050307@hanaden.com> <[🔎] Pine.LNX.4.53.0303301707050.16645@blake.timetraveller.org>

On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> On Fri, 28 Mar 2003, Hanasaki JiJi wrote:
> 
> > Working on running a SMTP server inside the firewall that takes incoming
> > SMTP traffic from outside the firewall.  The below rules are not
> > working.  The firewall refuses connections.  Any input on what wrong?
> 
> If a remote exploit is found in the MTA running on your internal host (as
> has just occured with sendmail again), an attacker may be able to launch a
> direct attack on this box.  Depending on your overall security structure
> they may then be able to attack any number of hosts behind your firewall.
> 
> Some of the alteratives aren't much better.  Running an MTA on your
> firewall is just as bad as a remote exploit here may allow an attack
> access to the root on the firewall, allowing the firewall to be
> circumvented again.
> 
> If you have more than 1 static address, an MTA running in a DMZ is
> definately better.  This way you could still have your internal MTA being
> port forwarded by restrict access through the firewall by source address,
> such that only your MTA in the DMZ can access the port redirect.  If you
> can restrict access by way of network interface on the firewall[1] then
> you're much much better off again as this protects against a spoof.

I don't quite follow this... Surely if one can break into the
port-forwarded MTA, one can break into DMZ's MTA, which would
then allow the attacker to access the port-forwarding anyway?

-- 
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au

Of course Pacman didn't influence us as kids. If it did,
we'd be running around in darkened rooms, popping pills and
listening to repetitive music.
 -- Kristian Wilson, Nintendo, Inc, 1989

This email is licensed to the recipient for non-commercial
use, duplication and distribution.
-----------------------------------------------------------

Attachment: pgpmqrSmRbN4i.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: iptables forwarding to inside firewall
  - From: Victor Calzado Mayo <vcalzado@cnio.es>
- Re: iptables forwarding to inside firewall
  - From: Thomas Zimmerman <thomas@zimres.net>

References:
- iptables forwarding to inside firewall
  - From: Hanasaki JiJi <hanasaki@hanaden.com>
- Re: iptables forwarding to inside firewall
  - From: Robert Brockway <robert@timetraveller.org>

Prev by Date: Re: Logcheck, Logsentry, LogRider etc.
Next by Date: Re: Bug in Tiger check_listening_procs?
Previous by thread: Re: iptables forwarding to inside firewall
Next by thread: Re: iptables forwarding to inside firewall
Index(es):
- Date
- Thread