> OK, but how does the network setup look on the webserver? I envisioned
> something like:
>
> IP=192.168.1.100
> Mask=255.255.255.0
> GW=192.168.1.2 (eth2 on LEAF box)
> How would SMTP know to forward to the ISA server?
>
> I guess I could point the SMTP server on the protected box to point to the
> external interface of the ISA server, who would be listening for SMTP
> traffic from that IP. {guess I just answered my own question}
>
> BTW, ISA = Microsoft Internet Security & Acceleration Server 2000
>
> If I set up the LEAF server as a more typical setup with a different
subnet
> for the DMZ, the default rules would not allow communication to the
> protected network (eth1 internal) right? Internal could initiate
> communications with the DMZ, but not vise versa, correct? That was what I
> was going to do initially, but was pretty sure it would fail. If this is
a
> better way, perhaps I could craft some rules that said essentially, the
only
> traffic that could be routed to the internal network is SMTP traffic and
ISA
> message filter DCOM traffic.
This all makes sense, until I get to the end, where you indicate you want to
push SMTP (and other) traffic to your internal net. The whole point of
having a screened subnet or DMZ is to keep public servers *OUT* of your
internal net. It's almost always possible to restructure a network that
requires inbound connections so that inbound connections are only permitted
on the DMZ.
> Back to the screened subnet, all on the same subnet as first described.
So
> any inbound comm allowed would head to the internal network, and then be
> forwarded based on rules (i.e. web trafic to this IP, SMTP to that IP,
etc.
> The second firewall (ISA) would then decide whether or not to allow
inbound
> to the real internal network. For example, I also want to setup a VPN
> eventually. The access would be allowed/denied from the ISA server who
> would have access to Active Directory domain info. Again, all forwarding
> could be accomplished by rules at the LEAF box.
>
> Does that sound like I am on the right track?
It's really hard to tell...it sounds like you're running an e-mail server
BEHIND the ISA, on your internal net. If so, this is a *REALLY BAD IDEA*,
and pretty much defeats the whole purpose of a screened subnet architecture.
Your comments about VPN, however, are correct...you could easily setup the
ISA to be a VPN gateway for the "real" internal subnet. BTW: What you
refer to as "internal network" above (the network between the Dachstein box
and the ISA) should be called the "screened subnet", although you'll still
have to use the INTERN_* variables in network.conf to configure it :-/
If you don't have a copy already, pickup O'Reilly's "Building Internet
Firewalls" and take a look at chapter 6, "Firewall Architectures". It's an
excellent resource when trying to design "safe" network architectures, and
includes excellent (and very readable) descriptions of architectures that
"work", and archectures to avoid (often for subtle, non-obvious reasons).
If you want general advice from the list, you're going to have to provide a
lot more detail about exactly what you're trying to accomplish...I've tried
to make what comments I could, but it's hard trying to read between the
lines and figure out what services you're running where...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
