[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux - DNS/WWW/POP

On Tue, Jan 30, 2001 at 11:19:51PM +0100, Viktor Rosenfeld wrote:
> ktb wrote:
> 
> > > A related question:  Can I have a box serve both as a server (DNS, mail,
> > > proxy, web, ...) for the local network _and_ as a firewall for the local
> > > network at the same time?
> > >
> > > [snipped]
> >
> > What ever services you run you need a port open so the "outside" can
> > access it.  In other words if you want to run a web server you must have
> > say, port 80 open.  I use openbsd for a firewall using NAT.  From what
> > little I have read the new firewall stuff in 2.4 works similar.
> > "Stateful" is a great thing.  You can set up a default rule to block all
> > incoming and another to allow any communication from the outside, if you
> > initiate it.
> > 
> > What I would do if I were you is set up a three legged network (three
> > network cards in your firewall).  One card connecting to the outside,
> > one connecting to a server (dmz) and one to your internal network
> > (workstation).  Set up your firewall with a default 'deny all' from the
> > outside.  Then set up rules to let in just the services you want to
> > offer such as a web server, dns server, etc.  Have these services
> > redirected by your firewall to your server.  You could leave port 22
> > open on your firewall for ssh.  So you would have one port open on your
> > firewall and all other services redirected to your server and still be
> > able to send and receive mail, surf the web etc.  I think that is pretty
> > close to what you want.
> 
> Not really, I think you have misunderstood me a little.  I probably
> haven't made myself clear enough.
> 
> The server will only serve the local network.  That is, the web server
> should not be seen to the outside, as well as the DNS and the mail.  So
> I actually want to deny any connection that is made from the outside,
> except SSH and commmunication, that I've initiated.  Thus, the
> statefulness of netfilter will probably help.  However, for the
> firewall, the internal server is just another peer on the local net, it
> should not care about requests made to any port on the server made from
> the inside.  It should block all access to the server to the outside,
> but that is easily done by NATing the local net and denying any traffic
> at all.
> 
> My question is, whether I really need two machines for this scenario, or
> whether one machine will do it, by blocking any and all
> outside-initiated traffic on the interface that is connected to the
> outside (except for SSH) and not bothering what's going on on the
> interface connected to the local net.
> 

It will work.  I guess it depends on how intensive the machine is going
to be worked, what the specs of the computer are etc.
kent

-- 
I'd really love ta wana help ya Flanders but... Homer Simpson
Reply to: