On Mon, 31 Mar 2003 10:24:15 +1000 Paul Hampson <[EMAIL PROTECTED]> wrote:
> On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: [snip] > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA > > being port forwarded by restrict access through the firewall by > > source address, such that only your MTA in the DMZ can access the > > port redirect. If you can restrict access by way of network > > interface on the firewall[1] then you're much much better off again > > as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway? The truely paranoid run differening MTAs on the DMZ and internal networks; hopfully there arn't two zero day exploites. Even on a single ip (most users) you can always use UML virtual servers. Port-forward onto a seperate subnet and do not trust other traffic on that subnet. Defence in depth, and all that. Or just keep on top of the latest patches/updates and run small sites with low bandwidth... Thomas
pgp00000.pgp
Description: PGP signature
