Re: firewalling, imap, DMZ's etc.

To: debian-user@lists.debian.org
Subject: Re: firewalling, imap, DMZ's etc.
From: Adam D <emlists@gmail.com>
Date: Tue, 17 Oct 2006 19:20:31 -0700
Message-id: <[🔎] 45358F6F.9030200@gmail.com>
Reply-to: emlists@gmail.com
In-reply-to: <[🔎] 20061017221746.GE5226@localhost.localdomain>
References: <[🔎] 20061017221746.GE5226@localhost.localdomain>

Andrew Sackville-West wrote:
> Hi list, I need some advice. My work situation has changed such that I
> now have to get out of my chair and climb out of my basement at
> frequent but irregular intervals. I live by email and need to connect
> to my email and possibly my desktop from multiple locations.
> 
> So, obviously, IMAP to the rescue and probably vnc as well, but one
> thing at a time. I've played around with dovecot for a bit and have an
> understanding of how it works and am ready to implement it. I
> specifically need advice on how to set up my server/firewall etc. 
> 
> here's my current setup: cable -> smoothwall box -> various machines
> including my  debian sid desktop, debian sid/etchish file/mail server,
> wifey's winXP box, knoppmyth box, kids debian sid box. 
> 
> What I need: access to IMAP mailboxes from anywhere. I've already got
> dyndns setup and functioning properly, so that's easy... now
> 
> Possible solutions:
> 
> 1. use my smoothwall box as is, portforward IMAP to my server and run
>    with it. potential problems are that my LAN, behind smoothwall, is
>    pretty loosey goosey and I run a pretty good risk of being
>    compromised. especially because i"m running a not-up-to-date sid
>    server (driver issues during install, I could downgrade to testing
>    now and solve that problem.)
> 
> 2. use my smoothwall box as is, set up a DMZ and put another box
>    online to be my IMAP server with a DMZ pinhole from the rest of my
>    LAN to get mail while at home. Problem with this is I'd need
>    another machine running, ugh, and I'm sqeamish about setting up a
>    DMZ and then circumventing some of that security...
> 
> 3. redo my smoothwall box into a debian machine as a
>    firewall/router/dhcp server/etc and put IMAP on that box. I could
>    lock down that box pretty well and get rid of all kinds of stuff
>    that I wouldn't need (like SSH as I'd never be sitting at that box
>    and need to SSH to another, for example, though I'd still need sshd
>    to get into the thing on occaision.)

What comes to mind right off the bat, would be VPN into your network while you are away to acess your files/mail.

Otherwise the 3rd one is what I would do.  I have a similar setup with a box as my firewall/router (Debian stable/testing).  I have 4 separate networks that are attached to the box: LAN, wifi, DMZ, Internet/ISP.  I use shorewall and really love setting it up with special rules in the config files (very easy).  I have not yet set it up for port forwarding but it is done in the 'rules' config file.  I also have a separate mail server on the DMZ that fetches the mail, spamassisn, virus scan, and sends it to an internal mail server using cyrus as the IMAP server.  Cyrus is a very good IMAP server with a lot of power but can be a bit much setting it up too.  I like what it offers but there are other good simple IMAP servers as well.

All this can be done easily with one server in the DMZ and people can go into the DMZ from the LAN through the router but not the other way.  Then when your out and about you can connect to your mail server on your DMZ and read your mail.  Using a DMZ with shorewall is very easy to configure but afaik there are not any gui for setting it up.

If you do not want to set up a DMZ because of hard resources, power consumption or anything else, you can set up your email server (if you have one internally on your LAN) and have postfix save a copy locally and also forward a copy to i.e. google mail.  I do that for my wife since her work does not have email and she uses google mail for work.  You will have 2 accounts to manage with filing but it makes an easy solution.

Just some extra things to think about while on your project.

> 
> 4. other solutions like running those services that I want externally
>    accessible in a chroot on one of these machines. maybe other kinds
>    of weirdness, I don't know. 
> 
> My questions are: what do you all think of the above solutions? which
> would you recommend? What are some other solutions I'm missing? What's
> a good reference work for figuring this out? My concerns are security
> for our quaint little home network without giving up its easy ad-hoc
> nature.
> 
> thanks
> 
> A

Reply to:

Follow-Ups:
- Re: firewalling, imap, DMZ's etc.
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

References:
- firewalling, imap, DMZ's etc.
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

Prev by Date: Re: Starting iptables
Next by Date: Re: How many DDs are there?
Previous by thread: firewalling, imap, DMZ's etc.
Next by thread: Re: firewalling, imap, DMZ's etc.
Index(es):
- Date
- Thread