Re: firewall -- best practices
hi ya
-- lots of answers ... my preferences below ..
On Tue, 18 Feb 2003, John Schmidt wrote:
> Hi,
>
> I have a couple of old machines that I will be installing Debian on
> them. I would like to dedicate one of the machines to a firewall, and
> the other machine to a mail server. I have a dsl line with a static IP
> (with the router acting as a firewall) and several other debian
> machines that will sit behind my firewall along with my mail server. I
> have several questions regarding this:
first thing ...
- define a set of rules for your network ..
who can do what to which machines from where
- what is allowed
- all else is disallowed
> 1. Is it best to not have the firewall doing anything else, i.e. acting
> as a web and/or mail server, and instead use a different machine for
> the mail server?
if you have the spare hardware ... do single purpose machines .. :-)
( or more importantly... spare time for build, setup, config, admin ... )
- firewall - presumably only running iptables/ipchains
- gw - doing some routing
- mail - doing only incoming/outgoing mail
- pop - doing only secure pop3/secure imap
- www - doing only insecure http
- secure web - doing only https -- mportant to separate it
- www-dev - where you do your web design before releasing
- printer - printer server
- dns - dns server
- vpn - vpn server
- ppp - dailin server
- loghost - log everything and anything
- backup - backup servers ( at least 2 of um )
- others
combine functions as you see fit ... like most people
fw -- no logins except from inside the lan
gw + mail + web -- assume it will be cracked ... backup everything
pop + vpn -- use different user login for each
-- use different userID for ssh login
backup -- dont forget backups on multiple PCs...
> 2. Occasionally, I would like to ssh into my network from work. Is it
> best to only open up the port on the firewall or do some port
> forwarding so that ssh connections automatically go to a different
> (non-firewall) machine?
do all admin from inside your LAN... never from the outside (my paranoia)
ssh login should be allowed only from certain ip# ...
> 3. I have been perusing different howtos on various networking setups
> mail server, etc. but am always looking for a must read site, book,
> etc. Anyone have any good suggestions?
everybody has their own ideas ... most are good ....
-- when the machine dies ... old-age, or [h/cr]acker... old software ...
- who gets to fix it, maintains it ??
that person usually fixes ti the way they know how, as fast as
they can
c ya
alvin
Reply to: