-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi On Monday 31 March 2003 02:24, Paul Hampson wrote: > On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes > > > incoming SMTP traffic from outside the firewall. The below rules are > > > not working. The firewall refuses connections. Any input on what > > > wrong? > > > > If a remote exploit is found in the MTA running on your internal host (as > > has just occured with sendmail again), an attacker may be able to launch > > a direct attack on this box. Depending on your overall security > > structure they may then be able to attack any number of hosts behind your > > firewall. > > > > Some of the alteratives aren't much better. Running an MTA on your > > firewall is just as bad as a remote exploit here may allow an attack > > access to the root on the firewall, allowing the firewall to be > > circumvented again. > > > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA being > > port forwarded by restrict access through the firewall by source address, > > such that only your MTA in the DMZ can access the port redirect. If you > > can restrict access by way of network interface on the firewall[1] then > > you're much much better off again as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway?
I think so, if only depends how paranoid you are and how much levels of security you think you need. A lot of people could tell a lot o things against proxies, multiplexors , and talk about the virtues of a nated enviroment... Going back to the original thread i think the problem should be in the forward rule of the internal interface, i can't see any rule like that in the rules and if the default policy of the forward hook is DROP the packets will be rejected at this point. A forward rule allowing this traffic should permit incoming traffic to the internal smtp server. Best Regards Victor - -- - -- Marzo Uno de los peores meses para andar metiendo al mundo en guerras absurdas El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU 9/l6t23YWU2Lq3wjyHWjQdg= =uety -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
