Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

RE: basic linux hardware setup
From: Bruce Platt <Bruce () ei3corp com>
Date: Thu, 31 May 2001 08:11:32 -0400

You might want to think of an alternative:

Two network cards in the following set-up:

eth0: 61.12.109.2/24 (given that you seem to indicate a full 24 bit block of
addresses)
eth1: 10.0.0.1/24 (connected to your internal LAN).

DNS: If you are hosting your own or others dns zones, put the machine(s)
hosting those on your red net, else, if you are not doing any dns hosting,
just use your Linux FW box to proxy your internal LANs dns requests to the
outside for resolution.

WEBServers: Put these on the outside as well to serve traffic to the outside
world.  Set your Linux fw to proxy your Internal LAN web requests.

Mail:  I prefer keeping mail on the inside of the firewall, and proxying
inbound and outbound mail through the fw.  However, I can argue this point
either way.  I choose an internal SMTP server when I have one or two domains
worth of mail to handle and when I can deploy some sort of anti-virus
solution.  An external (red-net, outside the fw) server seems to pose the
risks of exposing usernames and passwords to the rest of the world when your
LAN people collect their mail.  (Unless you can deploy a secure, encrypted
system.)  The risk of an internal mail server which the outside world
communicated with via fw proxy is that someone can exploit your mail server
which is on your LAN.  Take care in choosing, setting-up, and maintaining
your mail server.

A lot of these decisions depend on the scale of what you are doing.  If, for
example, you are deploying a mail-hosting solution for many domains, none of
the users of which originate from your LAN, you might choose to keep the
mail servers outside the fw.  That's a decision based on how much traffic
you want your fw to be required to examine.

In many of these cases, it's a trade-off between what you let into your LAN
versus what you expose to the outside world.  With a well set-up and
maintained fw proxying traffic you can get close to the best of both.

Regards

-----Original Message-----
From: Stuart Clark [mailto:sclark () spacelink com au]
Sent: Wednesday, May 30, 2001 10:59 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] basic linux hardware setup


Hi,

Should i have two network cards in my linux firewall machine?
one which goes to the Cisco, which is connected to the outside world.
eg eth0 on firewall 61.12.109.2 255.255.255.254 CONNECTED TO Cisco
61.12.109.1 255.255.255.254

and the other network card going to my internal machines

eth1 on firewall 10.0.0.1 255.255.255.0 CONNECTED TO internal machines
(Will the change to private addressing effect DNS, Webservers, News, Mail?)

OR

can i use only one card in the firewall machine on the same subnet as all
the machines
eg eth0 - on firewall 61.12.109.2 255.255.255.0 CONNECTED TO cisco
61.12.109.1 255.255.255.0
mailserver 61.12.109.3 255.255.255.0  webserver 61.12.109.4 255.255.255.0
etc...

OR

should i use 2 cards in the firewall machine on the same subnet
eth0 - on firewall 61.12.109.2 255.255.255.0 CONNECTED TO Cisco 61.12.109.1
255.255.255.0
eth1 - on firewall 61.12.109.3 255.255.255.0 CONNECTED TO mailserver
61.12.109.3 255.255.255.0  webserver 61.12.109.4 255.255.255.0  etc...


Regards
Stuart Clark

-------------------------------------------------
"Nobody will ever need more than 640k RAM!"
                           -- Bill Gates, 1981
"Windows 95 needs at least 8 MB RAM."
                           -- Bill Gates, 1996
"Nobody will ever need Windows 95."
                           -- logical conclusion
-------------------------------------------------


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault