Tom Eastep wrote:
--On Saturday, January 11, 2003 05:21:22 PM -0800 Craig Caughlin <[EMAIL PROTECTED]> wrote:I believe you have been pointed to some good documentation to answer your question. One thing I have done in practice is to use double protection. I use a DMZ to shield public and private parts of a network using the firewall. The DMZ can route traffic to a particular server. Since I use Red Hat Linux quite a bit, I also use the Red Hat firewall on individual machines in the DMZ. For example, if the server's sole purpose is to be a Secure Shell Server, then I only allow that port on that server open in the DMZ. It helps protect yourself should you make a mistake elsewhere.
Hi folks! I have carefully read Tom's Shorewall guide, but have a couple of questions. First, when you set up a DMZ with Bering / Shorewall, are boxes within the DMZ "completely unprotected" in that they have no ipchain rules, etc. that "protect" them (even if to only a small degree)...or are boxes in the DMZ pretty much completely open to attack?
I learned how important this is from reading defacements on attrition.org and alldas.de. I am not even sure, if the defacement achieves are around anymore. What caught my eye was the number of servers that were compromised because say samba, mysql or some other less secure service was available on the machine to the hostile Internet. Here's an example of what I am talking about http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/ch-basic-firewall.html as far as using a firewall on the server. You can use this technique with other distributions, firewalls, or other operating systems too.
I hope this idea helps. Do what makes your level of paranoia feel comfortable. ;-)
Greg Morgan
Please CAREFULLY read the material referenced below -- this question is answered.
Second, I noticed that Tom has made a three-interfaces.tgz file that (apparently) has all of the necessary files / modifications within it. Is that really all I need to do to set up a basic DMZ?, i.e copy the files within .tgz package over to Bering and backup?...that sort of thing? Thank you, have a great weekend!
Craig,
For a basic DMZ setup, you should be looking at http://www.shorewall.net/three-interface.htm.
The Shorewall Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm) is for users with multiple public IP addresses or those who really want to understand what's going on and who don't want to use the sample configurations.
This is hopefully made clear at http://www.shorewall.net/shorewall_quickstart_guide.htm.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ [EMAIL PROTECTED]
------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
