On Wed, 2 Aug 2000, fredy wrote:
> The problem is that I have other servers like an FTP server and a mail
> server + a pcanywhere workstation which I want to protect, they all have
> real IP's cause they are accessed from the internet world wide, they do not
ahh. then say you need a DMZ!
in such cases I usualy let the machines protect themselves. stick them
on the same LAN, give them each an IPchains script opening only the
ports you absolutely can't do without and there you go. any other config
will take a reconfig of the router, which like I said, your ISP may not
be able to provide for lack of knowledge, and if the machines inside the
DMZ don't have their own packets filters anyway, they may be a danger to
one another (especially if they trust eachother too much), so crack one
and you crack them all. with packet filters on each they are each its
own firewall, and your main one is no longer a single point of failure
either.
ofcourse I'm sure not the entire list will agree with me, but that's how
I would have done it :)
--
Ira Abramov, GNU/Linux advocate.
(@-
//\ "Akamai, Google, MicroSoft, Sun, Oracle, Intel, NASA, Sony,
v_/_ Python, JPG, PNG - CS masturbation is changing the world."
-- C.S. explaining her views on masturbation to Linus, 3/7/2000
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
