Re: firewall -- best practices

To: John Schmidt <jaschmidt@uofu.net>
Cc: debian-user@lists.debian.org
Subject: Re: firewall -- best practices
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Wed, 19 Feb 2003 02:15:27 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1030219020410.10864A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 200302182028.51169.jaschmidt@uofu.net>

hi ya

-- lots of answers ...  my preferences below ..

On Tue, 18 Feb 2003, John Schmidt wrote:

> Hi,
> 
> I have a couple of old machines that I will be installing Debian on 
> them.  I would like to dedicate one of the machines to a firewall, and 
> the other machine to a mail server.  I have a dsl line with a static IP 
> (with the router acting as a firewall) and several other debian 
> machines that will sit behind my firewall along with my mail server.  I 
> have several questions regarding this:

first thing ...
	- define a set of rules for your network ..
	who can do what to which machines from where

	- what is allowed 
	- all else is disallowed

> 1.  Is it best to not have the firewall doing anything else, i.e. acting 
> as a web and/or mail server, and instead use a different machine for 
> the mail server?  

if you have the spare hardware ... do single purpose machines .. :-)
( or more importantly... spare time for build, setup, config, admin ... )

	- firewall	- presumably only running iptables/ipchains
	- gw		- doing some routing
	- mail		- doing only incoming/outgoing mail
	- pop		- doing only secure pop3/secure imap
 	- www		- doing only insecure http
	- secure web	- doing only https -- mportant to separate it
	- www-dev	- where you do your web design before releasing
	- printer	- printer server
	- dns		- dns server
	- vpn 		- vpn server
	- ppp 		- dailin server
	- loghost	- log everything and anything
	- backup 	- backup servers ( at least 2 of um )
	- others

combine functions as you see fit ... like most people
	fw		-- no logins except from inside the lan
	gw + mail + web -- assume it will be cracked ... backup everything
	pop + vpn	-- use different user login for each
			-- use different userID for ssh login

	backup		-- dont forget backups on multiple PCs...

> 2.  Occasionally, I would like to ssh into my network from work.  Is it 
> best to only open up the port on the firewall or do some port 
> forwarding so that ssh connections automatically go to a different 
> (non-firewall) machine?

do all admin from inside your LAN... never from the outside (my paranoia)

ssh login should be allowed only from certain ip# ...

> 3.  I have been perusing different howtos on various networking setups 
> mail server, etc. but am always looking for a must read site, book, 
> etc.  Anyone have any good suggestions?

everybody has their own ideas ... most are good ....

-- when the machine dies ... old-age, or [h/cr]acker... old software ...
	- who gets to fix it, maintains it ??
	that person usually fixes ti the way they know how, as fast as
	they can

c ya
alvin

Reply to:

References:
- firewall -- best practices
  - From: John Schmidt <jaschmidt@uofu.net>

Prev by Date: Re: Group ID
Next by Date: Re: AW: modconf doesn't show drivers
Previous by thread: Re: tunnelling -- best practices
Next by thread: Re: firewall -- best practices
Index(es):
- Date
- Thread