[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure topologies - smtp/dns/whois/....

On Saturday, 2003-03-22 at 12:01:13 -0600, Hanasaki JiJi wrote:
> Would you share your opinions on the following setup for daemons?

> firewall runs
> 	whois server - gwhois or jwhois?

No services on the firewall. Put that on a machine in the DMZ.

> 	iptables - firewall

... because it would be no firewall without ;-)

> 	forwards-to/NAT-from internal smtp server
> 		<what iptables rules will accomplish this>

-> DMZ

> 	NAT outgoing DNS for internal bind9 server

NAT all outgoing connections, I'd say. Unless you have non-RFC1918
addresses on the inside. What a luxury!

> 	bind9 - for external dns
> 		<no connection between these two servers>

-> DMZ

> 	NAT from internal SQUID server to internet

NAT all outgoing connections.

> 	ntp - time server for internal
> 		<safe to run this on the firewall?>

Client only. Put the NTP server in the DMZ.

> host(s) inside the firewall
> 	smtp server - exim4

Put a relay in the DMZ. Receive mail through it, forwarded to the
internal mail server. Have the internal mail server relay everything
outgoing through this mail server. As for exim, I have never used it.

> 	dhcp3-server for internal

This should not matter for the external view or the DMZ.

> 	bind9 - for internal dns

Jupp. Have the firewall and the DMZ query this server. Have the server
forward-only through the DNS server in the DMZ.

> 	squid - http proxy

Better located in the DMZ.

> 	webserver - apache for internal and external
> 		domain.com
> 		internal.domain.com
> 		<both on same server>

Put the web server for external in the DMZ if you value your security.
You can use it for internal as well, but don't have to.

Buy and read "Building Internet Firewalls, 2nd Edition" by Zwicky,
Cooper, Chapman (O'Reilly).

On general principle, don't allow connections from external to internal.
Only external <-> DMZ and DMZ <-> internal.

Don't put any services on the firewall. Have the firewall only
communicate with the DMZ. If you have no official addresses but the one
for the firewall, use port redirection to the DMZ for incoming
connections.

HTH,
Lupe Christoph

PS: If you have never used iptables, and you sound like it, give
    fwbuilder a try. Even if you have, it might be useful because it
    makes management of the rules easier.
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be        |
| unsinkable. The designer had a speech impediment. He said: "I have     |
| thith great unthinkable conthept ..."                                  |
Reply to: