>> Hi >> >> I have a host in my DMZ that has both anonymous ftp and pop3 >> ports open >> (this can't be changed). since I really don't trust this setup, I was >> thinking about ways to isolate this host so no one who break to this >> computer, can access other computers on the DMZ (although other >> computers should be able to access it). one obvious solution is to >> create a second DMZ, but that would cost me the lost of three ip's, so >> I'm trying to figure out ways to isolate him without putting it in >> another subnet. >> >> I thought about 2 solutions so far: >> 1. putting iptables on all the other computers in the DMZ. 2. >> connecting this host to another VLAN and set this >> configuration on the switch (I have to see if that's even >> possible). >> >> Does anybody have another/better solution? >> >> thanx >> -- >> Haim >> > > If you're about to set up firewalling on all your hosts (and thats a > good thing) do it also on the pop/ftp host :-). Run your services as > non-root (maybe chroot, too) and NAT ports that are privileged so > daemons can listen to them as non-root. This way, if anyone breaks in, > they wont be root that easy and will hopefully find it much harder to > break local firewall rules. Do you mean that I should redirect all the incoming (e.g. port 110) requests to a port above 1024? that's a good idea.
> > One other thing you might like to do is to add a firewall just for that > host, in the DMZ. All trafic from/to your untrusted host should travel > through that additionnal firewall, and you could set it up so it lets no > (or nearly) connection possible from your untrusted host to others in > the DMZ. Btw, you loose zero IP, since your firewall can obviously NAT > your host. > > If you cannot afford to use a dedicaced host for firewalling, you might > like to try UserModeLinux. Setup firewall on the main box, and services > on another that runs on a virtual machine. This is probably not best > since it forces you reinstall many things and makes your conf > non-too-standard. > > As a conclusion, trafic from the internet to that host should go through > 2 firewalls. > Trafic from that host to the DMZ should go through your additionnal > firewall. > > Hope this is clear and helps, > > Vincent > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] I'm thinking about using qmail as the smtp(only have access from the mail relay server)/pop3 server (from what I've read this is a very secure software). any suggestions about what ftp server should I run (is proftpd secure enough)? thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
