On Tue, Jan 30, 2001 at 11:19:51PM +0100, Viktor Rosenfeld wrote: > ktb wrote: > > > > A related question: Can I have a box serve both as a server (DNS, mail, > > > proxy, web, ...) for the local network _and_ as a firewall for the local > > > network at the same time? > > > > > > [snipped] > > > > What ever services you run you need a port open so the "outside" can > > access it. In other words if you want to run a web server you must have > > say, port 80 open. I use openbsd for a firewall using NAT. From what > > little I have read the new firewall stuff in 2.4 works similar. > > "Stateful" is a great thing. You can set up a default rule to block all > > incoming and another to allow any communication from the outside, if you > > initiate it. > > > > What I would do if I were you is set up a three legged network (three > > network cards in your firewall). One card connecting to the outside, > > one connecting to a server (dmz) and one to your internal network > > (workstation). Set up your firewall with a default 'deny all' from the > > outside. Then set up rules to let in just the services you want to > > offer such as a web server, dns server, etc. Have these services > > redirected by your firewall to your server. You could leave port 22 > > open on your firewall for ssh. So you would have one port open on your > > firewall and all other services redirected to your server and still be > > able to send and receive mail, surf the web etc. I think that is pretty > > close to what you want. > > Not really, I think you have misunderstood me a little. I probably > haven't made myself clear enough. > > The server will only serve the local network. That is, the web server > should not be seen to the outside, as well as the DNS and the mail. So > I actually want to deny any connection that is made from the outside, > except SSH and commmunication, that I've initiated. Thus, the > statefulness of netfilter will probably help. However, for the > firewall, the internal server is just another peer on the local net, it > should not care about requests made to any port on the server made from > the inside. It should block all access to the server to the outside, > but that is easily done by NATing the local net and denying any traffic > at all. > > My question is, whether I really need two machines for this scenario, or > whether one machine will do it, by blocking any and all > outside-initiated traffic on the interface that is connected to the > outside (except for SSH) and not bothering what's going on on the > interface connected to the local net. >
It will work. I guess it depends on how intensive the machine is going to be worked, what the specs of the computer are etc. kent -- I'd really love ta wana help ya Flanders but... Homer Simpson
