On 09/02/2012 10:04 AM, BC wrote: > > On 9/2/2012 8:44 AM, [email protected] wrote: >> That's how I started as well. :) >> >> You might want to consider putting an IPCop (or other suitable firewall) >> host on your perimeter. I think it's the next logical step for your >> situation. > > Whew, good to know I'm on track. > > Running "pf" here, which is of one of the common firewalls for FreeBSD. >
That would be my 2nd choice, although I don't think the differences were very substantial, and I haven't compared them recently. Here's the thing. Your mail server should be on the DMZ subnet (I'm not sure of PF's terminology). That subnet has no access to dhcp or resolvers, for security reasons. I suppose you could punch a pinhole for DNS requests, but that sort of defeats the purpose. Since all hosts in the DMZ should use a resolver/recursor which is not on the (trusted) LAN, they can a) use their own, b) use a common one on the DMZ subnet (but preferably *not* an authoritative DNS host), or c) use one provided by an ISP or other service (OpenDNS and Google provide several free ones). The options are in order of efficiency, and probably preference as well for most cases. -- -Eric 'shubes' _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
