Hi
I have a host in my DMZ that has both anonymous ftp and pop3 ports open
(this can't be changed). since I really don't trust this setup, I was
thinking about ways to isolate this host so no one who break to this
computer, can access other computers on the DMZ (although other
computers should be able to access it). one obvious solution is to
create a second DMZ, but that would cost me the lost of three ip's, so
I'm trying to figure out ways to isolate him without putting it in
another subnet.
I thought about 2 solutions so far:
1. putting iptables on all the other computers in the DMZ.
2. connecting this host to another VLAN and set this
configuration on the switch (I have to see if that's even
possible).
Does anybody have another/better solution?
thanx
--
Haim
