On Fri, 28 Mar 2003, Hanasaki JiJi wrote:
> Working on running a SMTP server inside the firewall that takes incoming
> SMTP traffic from outside the firewall. The below rules are not
> working. The firewall refuses connections. Any input on what wrong?
There has been quite a bit of discussion on the mechanics of setting up
the port redirection to a box inside your firewall. I'd like to mention
the potential folly of doing this. By doing a port redirect from from
port 25 on your firewall to port 25 on a box inside you are effectively
exposing the internal host to the Internet on this port, circumventing
your firewall.
If a remote exploit is found in the MTA running on your internal host (as
has just occured with sendmail again), an attacker may be able to launch a
direct attack on this box. Depending on your overall security structure
they may then be able to attack any number of hosts behind your firewall.
Some of the alteratives aren't much better. Running an MTA on your
firewall is just as bad as a remote exploit here may allow an attack
access to the root on the firewall, allowing the firewall to be
circumvented again.
If you have more than 1 static address, an MTA running in a DMZ is
definately better. This way you could still have your internal MTA being
port forwarded by restrict access through the firewall by source address,
such that only your MTA in the DMZ can access the port redirect. If you
can restrict access by way of network interface on the firewall[1] then
you're much much better off again as this protects against a spoof.
[1] If you use the "3 legged firewall" setup, it is possible to
distinguish DMZ traffic from other traffic based on which interface it is
entering the firewall.
This all presupposes you have been allocated a subnet of static addresses
by your ISP.
If this is for a home setup you may not be able to do much about the
security aspect or it may not be worth it to setup a DMZ (this is
perfectly valid, it's all about risk assessment), but it's always worth
considering the alternatives.
Cheers,
Rob
--
Robert Brockway B.Sc. email: [EMAIL PROTECTED] ICQ: 104781119
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah
