On Tue, Jun 29, 1999 at 03:22:30PM +0200, hans schneidhofer wrote:
> hi jakob,
>
> thanks a lot for your help. Have deleted inetd, portmapper, and apache. All the
> other stuff I don't have had installed. I thought about, that services like
> nfs, samba, squid etc. are not recommended for a bastion.
>
> But ... I never made a "portscan", because there was no need until now. Was
> looking in the man pages, in the doc-files, but don't find such a thing. So
> your help would be very welcome.
There's a piece of software called ``strobe'' that will do the trick.
> For mails, have I to use any mailagent on the bastion or not ? I have planned
> an extra mailserver, so I think, it's not necessary to leave a mailagent on a
> bastion-host. Am I right there ?
You could actually run _one_ service: rinetd.
rinetd could forward FTP,SMTP and HTTP requests (and _nothing_ else) to the
machines behind the bastion, using those private IP addresses.
Your bastion could then masquarade traffic from those ports on your internal
machines, out on the internet.
> In one of my books, called "present within the internet" and "setting up a
> firewall" I found recommends of about the following structure :
>
> internet (router) <---> bastion
> |
> |
> web-server ---------mail-server --------- ftp-server ---- (i.e)
> |
> |
> internal firewall
> |
> |
> Intra-net --- workstations --- workst...
Looking good.
I've set this up before. Though we didn't use an internal firewall. The bastion
will allow traffic to the internal mail and web servers via. rinetd, and it will
masquarade the responses from those machines (only) out onto the internet.
Because there's an exchange server (MS) running the mail service, we set up
QMail as an SMTP gateway on the internal network, so that the machine the bastion
forwards SMTP requests to is more robust.
> My bastion have 2 ethercards, one with an official IP-address, the other one
> with a privat IP-address. The webserver also have one privat IP-address and one
> official address, mail- and ftp only have official addresses and last not
> least the internal firewall has an offical and a privat address. Acting as a
> gateway. Or is this a bad idea ? Should the ftp-server be a gateway between
> the internal firewall and the official net ?
No official addresses on the internal network. Let the bastion have them all.
Then let it forward requests to thost IP/services via. rinetd to the private
IP addresses of the internal servers.
And let the bastion masquarade responses.
If you set up Squid somewhere on an internal server, you can also let the
bastion masquarade requests from the Squid proxy. But ofcourse you shouldn't
``export'' the squid service via rinetd to the internet :)
Hope this helps,
................................................................
: [EMAIL PROTECTED] : And I see the elder races, :
:.........................: putrid forms of man :
: Jakob �stergaard : See him rise and claim the earth, :
: OZ9ABN : his downfall is at hand. :
:.........................:............{Konkhra}...............:
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
