ktb wrote: > > A related question: Can I have a box serve both as a server (DNS, mail, > > proxy, web, ...) for the local network _and_ as a firewall for the local > > network at the same time? > > > > [snipped] > > What ever services you run you need a port open so the "outside" can > access it. In other words if you want to run a web server you must have > say, port 80 open. I use openbsd for a firewall using NAT. From what > little I have read the new firewall stuff in 2.4 works similar. > "Stateful" is a great thing. You can set up a default rule to block all > incoming and another to allow any communication from the outside, if you > initiate it. > > What I would do if I were you is set up a three legged network (three > network cards in your firewall). One card connecting to the outside, > one connecting to a server (dmz) and one to your internal network > (workstation). Set up your firewall with a default 'deny all' from the > outside. Then set up rules to let in just the services you want to > offer such as a web server, dns server, etc. Have these services > redirected by your firewall to your server. You could leave port 22 > open on your firewall for ssh. So you would have one port open on your > firewall and all other services redirected to your server and still be > able to send and receive mail, surf the web etc. I think that is pretty > close to what you want.
Not really, I think you have misunderstood me a little. I probably haven't made myself clear enough. The server will only serve the local network. That is, the web server should not be seen to the outside, as well as the DNS and the mail. So I actually want to deny any connection that is made from the outside, except SSH and commmunication, that I've initiated. Thus, the statefulness of netfilter will probably help. However, for the firewall, the internal server is just another peer on the local net, it should not care about requests made to any port on the server made from the inside. It should block all access to the server to the outside, but that is easily done by NATing the local net and denying any traffic at all. My question is, whether I really need two machines for this scenario, or whether one machine will do it, by blocking any and all outside-initiated traffic on the interface that is connected to the outside (except for SSH) and not bothering what's going on on the interface connected to the local net. Thanks, Viktor -- Viktor Rosenfeld WWW: http://www.informatik.hu-berlin.de/~rosenfel/ Geek Code (3.1): GCS/SS d-@ s+: a20 C++@ UL++$ P+ L+++ E--- W++ N++ o? K? !W O? M? V? PS++@ PE+(-) Y+ P?(+++) t+ 5+ X- R? !tv b+ DI+ D- G e>+++ h-- r- !y+
