> Okay, I did remember the 'proxyarp' option from when I set up my ppp box, but
> the stuff I read at the ProxyArp Howto (&related web site) was making me think
> that this might be something different, or the same thing in a drastically
> different context.
I haven't read that howto for quite a while, but I really don't think that
is what you need at this point.
> > If you draw out a diagram it would be more clear.
>
> Oh dear. Okay, here goes:
>
> [ --internet--]
> |
> [DMZ -- web server, ftp server, public dns, outer spigot of bastion server,
> nothing else.]
> |
> [Inner, 'protected' net -- inner spigot of bastion server, pop3 server,
> individual workstations, etc.]
So the DMZ is a router, or a Linux box, using ipfwadm? How many boxes are
in your DMZ?
Are you sure you're using the term `bastion' correctly? Which one,
exactly, is your bastion host?
> A note or two on the bastion server: It's a masquerading packet filter,
> running almost nothing except for qmail configured to forward everything to
> the inside pop3 server. So the basic masquing from the kernel is already set
> up, but right now there are no inet.d services or proxies available to the
> outside world from that box, and the outer interface only has one IP address.
So your bastion host is your DMZ router, right? And it has the routing
set up to restrict access to your internal gateway?
> > You can masquerade two
> > or more IP addresses with simple aliases. It sounds like a good routing
> > configuration will help your data find its way.
>
> That seems reasonable; the idea I had originally was to set up a second
> (aliased?) IP address on the outer interface of the bastion host, and
> magically have that interface appear to the outside world as our pop3 server,
> but only for requests to the smtp port.
You are going to allow pop3 on the Internet side?
If it is the case that your external box is doing http, dns, incoming
mail, you might consider using a seperate (aliased) address for each,
otherwise its not necessary, and can add to significant confusion with the
various protocols and ipfwadm.
> But when I first tried to set this up I couldn't get aliasing to work
> (I've since found better info, proabably from this list), so single-IP
> masquing with only outward-bound connections ended up being the
> compromise of the hour.
Hmm.. Its late, so perhaps I don't fully understand this. If I understand
correctly, you don't want your internal hosts directly accessible from the
Internet. Instead, have your internal gateway store and send mail for
your internal hosts. It is here you can do mail masquerading, as well as
normal TCP/IP masquerading.
> So what I'm still unclear on is the magically-piping-pop part. Can that be
> done with just an exotic routing scheme, or do I really need some mitigating
> process (proxy) handling the transactions? Or are those the same thing?
Well, you should set up a proxy anyway. Something like squid, with a few
hundred meg space to proxy http requests. It should (at least) also store
mail, do internal DNS. It can also perform DNS for your external DNS
server (the one that is used by the Internet to find your web server, for
example, and is registered at the Internic) for security reasons.
> I'm gonna go read the proxyarp howto again. If this made sense to anyone and
> if I've hopelessly confused myself, please mail me a line.
Check out the Security-HOWTO as well. Follow the link to the updated
version on Kevin's page, where you will find my additions. I think it
should contain (by now) a few references on properly setting up a DMZ for
a small network.
Esentially, I think you want something like the following:
external router / Internet
| |
^ | |
| | \--->
| |
| Linux/DMZ/FW ----- WWW --- DNS --- SMTP
| |
| | /--->
| | |
| | |
Linux intranet GW
|
|
Internal Clients
Dave
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
