Re: firewalling, imap, DMZ's etc.

To: debian-user@lists.debian.org
Subject: Re: firewalling, imap, DMZ's etc.
From: Adam D <emlists@gmail.com>
Date: Wed, 18 Oct 2006 01:48:49 -0700
Message-id: <[🔎] 4535EA71.90100@gmail.com>
Reply-to: emlists@gmail.com
In-reply-to: <[🔎] 20061018033056.GJ5226@localhost.localdomain>
References: <[🔎] 20061017221746.GE5226@localhost.localdomain> <[🔎] 45358F6F.9030200@gmail.com> <[🔎] 20061018033056.GJ5226@localhost.localdomain>

Andrew Sackville-West wrote:
> On Tue, Oct 17, 2006 at 07:20:31PM -0700, Adam D wrote:
>> Andrew Sackville-West wrote:
>>> Hi list, I need some advice. My work situation has changed such that I
>>> now have to get out of my chair and climb out of my basement at
>>> frequent but irregular intervals. I live by email and need to connect
>>> to my email and possibly my desktop from multiple locations.
>>>
>>> 3. redo my smoothwall box into a debian machine as a
>>>    firewall/router/dhcp server/etc and put IMAP on that box. I could
>>>    lock down that box pretty well and get rid of all kinds of stuff
>>>    that I wouldn't need (like SSH as I'd never be sitting at that box
>>>    and need to SSH to another, for example, though I'd still need sshd
>>>    to get into the thing on occaision.)
>>
>> What comes to mind right off the bat, would be VPN into your network while you are away to acess your files/mail.
> 
> VPN is totally foreign to me, I'll have to do some research. thanks
> for the suggestion.

No problem. ;)  What I can see that would be a great solution but it may also depend on your firewall box on processing the encryption.  (Is it a really old box or relatively newer?)  From what I have read a VPN should have a good processor but I am not clear on the best processor speed and what is needed for one person to VPN while data is passing through from the LAN at the same time.  With the VPN you will not need to worry about logging into a firewall/router with unnecessary server functions as well.  I would look into the idea and maybe ask around what others use or recommend.  When it is time for us to implement it on our network here, I am leaning to the openswan ipsec and its utilities for both sides (server/client).  I do not have experience with that just yet. ;)  If your box can handle it, this is the route I would take and ALL your data would be encrypted no matter what network you will be logging in from.  Otherwise if you're on a wifi or an untrusted network pe
ople can sniff or read your mail/files.  You can then keep your box as a firewall, router, VPN, DHCP, DNSmasq and keep it simple and secure.

>> Otherwise the 3rd one is what I would do.  I have a similar setup with a box as my firewall/router (Debian stable/testing).  I have 4 separate networks that are attached to the box: LAN, wifi, DMZ, Internet/ISP.  I use shorewall and really love setting it up with special rules in the config files (very easy).  I have not yet set it up for port forwarding but it is done in the 'rules' config file.  I also have a separate mail server on the DMZ that fetches the mail, spamassisn, virus scan, and sends it to an internal mail server using cyrus as the IMAP server.  Cyrus is a very good IMAP server with a lot of power but can be a bit much setting it up too.  I like what it offers but there are other good simple IMAP servers as well.

[snip]

> What about this? 
> 
> run an IMAP server on the firewall box, but leave the actual mail on
> my server inside the LAN? I suppose I could mount them maildirs as an
> nfs share. What I wonder are the security issues with that as well.
> That would mean I could lighten the load on my poor tired
> old firewall box. I suspect its neither here nor there, though my mail
> directories are getting pretty large. I'm running about .5 gig right
> now, but I've recently archived a bunch of stuff making it smaller
> than usual. 

I would really stay away from having anyone logging onto your firewall including your self.  That provides unnecessary ways in which the system can be compromised.  The more ports you open up esp for logging into would be ports that can be compromised.  A good rule of thumb to follow...  From my best experience the firewall should be a standalone box or a commercial product that you pass through depending your credentials or blacked at the front door.  

If you do go the route of putting the IMAP on the firewall (not suggested) cyrus maybe good choice because it has a backend for server and a front end for users using the mudclient on the frontend box. (The one you will log into while away from your network.)

Is your mail going to be kept on a standalone box on the LAN; is it shared with other services on a server or is it kept on a box used by everyone i.e. surfing web, etc.?  

> thanks.

Any time...

-Adam

Reply to:

Follow-Ups:
- Re: firewalling, imap, DMZ's etc.
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

References:
- firewalling, imap, DMZ's etc.
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>
- Re: firewalling, imap, DMZ's etc.
  - From: Adam D <emlists@gmail.com>
- Re: firewalling, imap, DMZ's etc.
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

Prev by Date: Re: Find sth
Next by Date: Re: firewalling, imap, DMZ's etc.
Previous by thread: Re: firewalling, imap, DMZ's etc.
Next by thread: Re: firewalling, imap, DMZ's etc.
Index(es):
- Date
- Thread