Re: Need an advise about isolating a host in the DMZ
On Sat, 2002-12-21 at 13:24, Glen Mehn wrote: > Nick Boyce wrote: > > > > pureftpd rocks. It's built to support most of the ftp commands, and has > super simple configuration. Actually I've already selected vsftpd. since I only need it for anonymous ftp (it's going to be a mirror for GNU, sunfreeware, and I hope Debian soon) I don't need all the features that proftpd has. > > add this to your sources.list: > > > deb http://pureftpd.sourceforge.net/debian/woody/ ./ > > -g > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] thanx -- Haim
Re: Need an advise about isolating a host in the DMZ
Nick Boyce wrote: On Wed, 18 Dec 2002 14:19:52 +0200 (IST), <[EMAIL PROTECTED]> wrote: I'm thinking about using qmail as the smtp(only have access from the mail relay server)/pop3 server (from what I've read this is a very secure software). any suggestions about what ftp server should I run (is proftpd secure enough)? I've switched to vsftpd (there's a deb in Woody), which works fine and is said to be written very securely, though it's not as full featured as others. (I haven't tried any others, apart from the stock Debian ftpd - there have been so many security problems with daemons based on the old BSD codebase that it seems worth switching to one that's completely new and unrelated.) Nick Boyce Bristol, UK -- "... the fundamental design flaws are completely hidden by the superficial design flaws." Douglas Adams(1952 - 2001): So Long and Thanks For All The Fish. pureftpd rocks. It's built to support most of the ftp commands, and has super simple configuration. add this to your sources.list: deb http://pureftpd.sourceforge.net/debian/woody/ ./ -g
Re: Need an advise about isolating a host in the DMZ
On Sat, 2002-12-21 at 13:24, Glen Mehn wrote: > Nick Boyce wrote: > > > > pureftpd rocks. It's built to support most of the ftp commands, and has > super simple configuration. Actually I've already selected vsftpd. since I only need it for anonymous ftp (it's going to be a mirror for GNU, sunfreeware, and I hope Debian soon) I don't need all the features that proftpd has. > > add this to your sources.list: > > > deb http://pureftpd.sourceforge.net/debian/woody/ ./ > > -g > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
Nick Boyce wrote: On Wed, 18 Dec 2002 14:19:52 +0200 (IST), <[EMAIL PROTECTED]> wrote: I'm thinking about using qmail as the smtp(only have access from the mail relay server)/pop3 server (from what I've read this is a very secure software). any suggestions about what ftp server should I run (is proftpd secure enough)? I've switched to vsftpd (there's a deb in Woody), which works fine and is said to be written very securely, though it's not as full featured as others. (I haven't tried any others, apart from the stock Debian ftpd - there have been so many security problems with daemons based on the old BSD codebase that it seems worth switching to one that's completely new and unrelated.) Nick Boyce Bristol, UK -- "... the fundamental design flaws are completely hidden by the superficial design flaws." Douglas Adams(1952 - 2001): So Long and Thanks For All The Fish. pureftpd rocks. It's built to support most of the ftp commands, and has super simple configuration. add this to your sources.list: deb http://pureftpd.sourceforge.net/debian/woody/ ./ -g -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
On Wed, 18 Dec 2002 14:19:52 +0200 (IST), <[EMAIL PROTECTED]> wrote: >I'm thinking about using qmail as the smtp(only have access from the mail >relay server)/pop3 server (from what I've read this is a very secure >software). any suggestions about what ftp server should I run (is proftpd >secure enough)? I've switched to vsftpd (there's a deb in Woody), which works fine and is said to be written very securely, though it's not as full featured as others. (I haven't tried any others, apart from the stock Debian ftpd - there have been so many security problems with daemons based on the old BSD codebase that it seems worth switching to one that's completely new and unrelated.) Nick Boyce Bristol, UK -- "... the fundamental design flaws are completely hidden by the superficial design flaws." Douglas Adams(1952 - 2001): So Long and Thanks For All The Fish.
Re: Need an advise about isolating a host in the DMZ
On Wed, 18 Dec 2002 14:19:52 +0200 (IST), <[EMAIL PROTECTED]> wrote: >I'm thinking about using qmail as the smtp(only have access from the mail >relay server)/pop3 server (from what I've read this is a very secure >software). any suggestions about what ftp server should I run (is proftpd >secure enough)? I've switched to vsftpd (there's a deb in Woody), which works fine and is said to be written very securely, though it's not as full featured as others. (I haven't tried any others, apart from the stock Debian ftpd - there have been so many security problems with daemons based on the old BSD codebase that it seems worth switching to one that's completely new and unrelated.) Nick Boyce Bristol, UK -- "... the fundamental design flaws are completely hidden by the superficial design flaws." Douglas Adams(1952 - 2001): So Long and Thanks For All The Fish. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
Thanx, everybody. As always you've been a great help :) Bye -- Haim
Re: Need an advise about isolating a host in the DMZ
On Wed, 2002-12-18 at 15:11, Blars Blarson wrote: > In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: > >create a second DMZ, but that would cost me the lost of three ip's, so > >I'm trying to figure out ways to isolate him without putting it in > >another subnet. > > There's no need to use extra IPs just to set up another subnet. Just > use the same IP on multiple interfaces of your firewall, and with proxy > arp routing nothing but your firewall needs to know the details. The > only thing I've found with broken assuptions about how IP works is DHCPD, > so your firewall will need a real IP for each segment it acts as a DHCP > server for. The ip command is your freind, it allows much finer-grained > control than the commands it replaces. Just to make sure I understand before I dive into the iprute howto, do you mean I can give 2 interfaces on my firewall the same ip, one is connected directly to that host, the other to a switch, and only have to setup things in the firewall? > > I've got a /24 split haphazardly into six subnets. The routing table > on the firewall is something like 50 entries just for that /24, but > none of the other systmes known the details -- they just arp and send. > (Even if I renumbered this beast, the routing table wouldn't be tiny, > there are over 200 hosts unevenly split between the segments.) > > -- > Blars Blarson [EMAIL PROTECTED] > http://www.blars.org/blars.html > "Text is a way we cheat time." -- Patrick Nielsen Hayden > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] thanx -- Haim
Re: Need an advise about isolating a host in the DMZ
Thanx, everybody. As always you've been a great help :) Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
On Wed, 2002-12-18 at 15:11, Blars Blarson wrote: > In article <1040204536.12811.100.camel@parker> [EMAIL PROTECTED] writes: > >create a second DMZ, but that would cost me the lost of three ip's, so > >I'm trying to figure out ways to isolate him without putting it in > >another subnet. > > There's no need to use extra IPs just to set up another subnet. Just > use the same IP on multiple interfaces of your firewall, and with proxy > arp routing nothing but your firewall needs to know the details. The > only thing I've found with broken assuptions about how IP works is DHCPD, > so your firewall will need a real IP for each segment it acts as a DHCP > server for. The ip command is your freind, it allows much finer-grained > control than the commands it replaces. Just to make sure I understand before I dive into the iprute howto, do you mean I can give 2 interfaces on my firewall the same ip, one is connected directly to that host, the other to a switch, and only have to setup things in the firewall? > > I've got a /24 split haphazardly into six subnets. The routing table > on the firewall is something like 50 entries just for that /24, but > none of the other systmes known the details -- they just arp and send. > (Even if I renumbered this beast, the routing table wouldn't be tiny, > there are over 200 hosts unevenly split between the segments.) > > -- > Blars Blarson [EMAIL PROTECTED] > http://www.blars.org/blars.html > "Text is a way we cheat time." -- Patrick Nielsen Hayden > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > I'm thinking about using qmail as the smtp(only have access from the mail > relay server)/pop3 server (from what I've read this is a very secure > software). any suggestions about what ftp server should I run (is proftpd > secure enough)? These files may help: http://linuxmafia.com/pub/linux/security/ftp-daemons http://linuxmafia.com/~rick/faq/#djb http://linuxmafia.com/~rick/linux-info/mtas -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >create a second DMZ, but that would cost me the lost of three ip's, so >I'm trying to figure out ways to isolate him without putting it in >another subnet. There's no need to use extra IPs just to set up another subnet. Just use the same IP on multiple interfaces of your firewall, and with proxy arp routing nothing but your firewall needs to know the details. The only thing I've found with broken assuptions about how IP works is DHCPD, so your firewall will need a real IP for each segment it acts as a DHCP server for. The ip command is your freind, it allows much finer-grained control than the commands it replaces. I've got a /24 split haphazardly into six subnets. The routing table on the firewall is something like 50 entries just for that /24, but none of the other systmes known the details -- they just arp and send. (Even if I renumbered this beast, the routing table wouldn't be tiny, there are over 200 hosts unevenly split between the segments.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden
RE: Need an advise about isolating a host in the DMZ
>> Hi >> >> I have a host in my DMZ that has both anonymous ftp and pop3 >> ports open >> (this can't be changed). since I really don't trust this setup, I was >> thinking about ways to isolate this host so no one who break to this >> computer, can access other computers on the DMZ (although other >> computers should be able to access it). one obvious solution is to >> create a second DMZ, but that would cost me the lost of three ip's, so >> I'm trying to figure out ways to isolate him without putting it in >> another subnet. >> >> I thought about 2 solutions so far: >> 1. putting iptables on all the other computers in the DMZ. 2. >> connecting this host to another VLAN and set this >>configuration on the switch (I have to see if that's even >> possible). >> >> Does anybody have another/better solution? >> >> thanx >> -- >> Haim >> > > If you're about to set up firewalling on all your hosts (and thats a > good thing) do it also on the pop/ftp host :-). Run your services as > non-root (maybe chroot, too) and NAT ports that are privileged so > daemons can listen to them as non-root. This way, if anyone breaks in, > they wont be root that easy and will hopefully find it much harder to > break local firewall rules. Do you mean that I should redirect all the incoming (e.g. port 110) requests to a port above 1024? that's a good idea. > > One other thing you might like to do is to add a firewall just for that > host, in the DMZ. All trafic from/to your untrusted host should travel > through that additionnal firewall, and you could set it up so it lets no > (or nearly) connection possible from your untrusted host to others in > the DMZ. Btw, you loose zero IP, since your firewall can obviously NAT > your host. > > If you cannot afford to use a dedicaced host for firewalling, you might > like to try UserModeLinux. Setup firewall on the main box, and services > on another that runs on a virtual machine. This is probably not best > since it forces you reinstall many things and makes your conf > non-too-standard. > > As a conclusion, trafic from the internet to that host should go through > 2 firewalls. > Trafic from that host to the DMZ should go through your additionnal > firewall. > > Hope this is clear and helps, > > Vincent > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] I'm thinking about using qmail as the smtp(only have access from the mail relay server)/pop3 server (from what I've read this is a very secure software). any suggestions about what ftp server should I run (is proftpd secure enough)? thanx -- Haim
Re: Need an advise about isolating a host in the DMZ
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > I'm thinking about using qmail as the smtp(only have access from the mail > relay server)/pop3 server (from what I've read this is a very secure > software). any suggestions about what ftp server should I run (is proftpd > secure enough)? These files may help: http://linuxmafia.com/pub/linux/security/ftp-daemons http://linuxmafia.com/~rick/faq/#djb http://linuxmafia.com/~rick/linux-info/mtas -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
> "Haim" == Haim Ashkenazi <[EMAIL PROTECTED]> writes: Haim> Hi I have a host in my DMZ that has both anonymous ftp and Haim> pop3 ports open (this can't be changed). since I really Haim> don't trust this setup, I was thinking about ways to isolate Haim> this host so no one who break to this computer, can access Haim> other computers on the DMZ (although other computers should Haim> be able to access it). one obvious solution is to create a Haim> second DMZ, but that would cost me the lost of three ip's, Haim> so I'm trying to figure out ways to isolate him without Haim> putting it in another subnet. Haim> I thought about 2 solutions so far: 1. putting iptables on Haim> all the other computers in the DMZ. 2. connecting this host Haim> to another VLAN and set this configuration on the switch (I Haim> have to see if that's even possible). 3. user-mode-linux (user-mode-linux.sf.net); put each service in a seperate UML with tap interfaces to each UML with iptables making sure anyway breaking the service in a UML can't get out. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK]
Re: Need an advise about isolating a host in the DMZ
In article <1040204536.12811.100.camel@parker> [EMAIL PROTECTED] writes: >create a second DMZ, but that would cost me the lost of three ip's, so >I'm trying to figure out ways to isolate him without putting it in >another subnet. There's no need to use extra IPs just to set up another subnet. Just use the same IP on multiple interfaces of your firewall, and with proxy arp routing nothing but your firewall needs to know the details. The only thing I've found with broken assuptions about how IP works is DHCPD, so your firewall will need a real IP for each segment it acts as a DHCP server for. The ip command is your freind, it allows much finer-grained control than the commands it replaces. I've got a /24 split haphazardly into six subnets. The routing table on the firewall is something like 50 entries just for that /24, but none of the other systmes known the details -- they just arp and send. (Even if I renumbered this beast, the routing table wouldn't be tiny, there are over 200 hosts unevenly split between the segments.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Need an advise about isolating a host in the DMZ
>> Hi >> >> I have a host in my DMZ that has both anonymous ftp and pop3 >> ports open >> (this can't be changed). since I really don't trust this setup, I was >> thinking about ways to isolate this host so no one who break to this >> computer, can access other computers on the DMZ (although other >> computers should be able to access it). one obvious solution is to >> create a second DMZ, but that would cost me the lost of three ip's, so >> I'm trying to figure out ways to isolate him without putting it in >> another subnet. >> >> I thought about 2 solutions so far: >> 1. putting iptables on all the other computers in the DMZ. 2. >> connecting this host to another VLAN and set this >>configuration on the switch (I have to see if that's even >> possible). >> >> Does anybody have another/better solution? >> >> thanx >> -- >> Haim >> > > If you're about to set up firewalling on all your hosts (and thats a > good thing) do it also on the pop/ftp host :-). Run your services as > non-root (maybe chroot, too) and NAT ports that are privileged so > daemons can listen to them as non-root. This way, if anyone breaks in, > they wont be root that easy and will hopefully find it much harder to > break local firewall rules. Do you mean that I should redirect all the incoming (e.g. port 110) requests to a port above 1024? that's a good idea. > > One other thing you might like to do is to add a firewall just for that > host, in the DMZ. All trafic from/to your untrusted host should travel > through that additionnal firewall, and you could set it up so it lets no > (or nearly) connection possible from your untrusted host to others in > the DMZ. Btw, you loose zero IP, since your firewall can obviously NAT > your host. > > If you cannot afford to use a dedicaced host for firewalling, you might > like to try UserModeLinux. Setup firewall on the main box, and services > on another that runs on a virtual machine. This is probably not best > since it forces you reinstall many things and makes your conf > non-too-standard. > > As a conclusion, trafic from the internet to that host should go through > 2 firewalls. > Trafic from that host to the DMZ should go through your additionnal > firewall. > > Hope this is clear and helps, > > Vincent > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] I'm thinking about using qmail as the smtp(only have access from the mail relay server)/pop3 server (from what I've read this is a very secure software). any suggestions about what ftp server should I run (is proftpd secure enough)? thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
On Wed, Dec 18, 2002 at 11:42:16AM +0200, Haim Ashkenazi wrote: > Hi > (...) > > I thought about 2 solutions so far: > 1. putting iptables on all the other computers in the DMZ. > 2. connecting this host to another VLAN and set this >configuration on the switch (I have to see if that's even >possible). If you setup another VLAN then you are setting another DMZ, and thus losing the 3 IP addresses anyway. The only difference being that both DMZs will be connected to the same switch. Question ¿who will do the routing between VLANs? > > Does anybody have another/better solution? These are not the best solution, just some more possibilities: 3.- Setup a bridge firewall and connect your DMZ servers to it. (i.e. remove the switch) 4.- add access control lists in the switch (if it allows you to) 5.- add outgoing firewall rules in the server (an intruder needs to root it to remove the rules, this might take some time if you have hardened it properly and followed 'least privilege' in the setup of the servers/services being offered). Of course the best solution would be a combination of all of them (notice that 2, 3 and 4 are mutually exclusive, I think). My 2c. Regards Javi pgpgfQxBdp997.pgp Description: PGP signature
RE: Need an advise about isolating a host in the DMZ
> Hi > > I have a host in my DMZ that has both anonymous ftp and pop3 > ports open > (this can't be changed). since I really don't trust this setup, I was > thinking about ways to isolate this host so no one who break to this > computer, can access other computers on the DMZ (although other > computers should be able to access it). one obvious solution is to > create a second DMZ, but that would cost me the lost of three ip's, so > I'm trying to figure out ways to isolate him without putting it in > another subnet. > > I thought about 2 solutions so far: > 1. putting iptables on all the other computers in the DMZ. > 2. connecting this host to another VLAN and set this >configuration on the switch (I have to see if that's even >possible). > > Does anybody have another/better solution? > > thanx > -- > Haim > If you're about to set up firewalling on all your hosts (and thats a good thing) do it also on the pop/ftp host :-). Run your services as non-root (maybe chroot, too) and NAT ports that are privileged so daemons can listen to them as non-root. This way, if anyone breaks in, they wont be root that easy and will hopefully find it much harder to break local firewall rules. One other thing you might like to do is to add a firewall just for that host, in the DMZ. All trafic from/to your untrusted host should travel through that additionnal firewall, and you could set it up so it lets no (or nearly) connection possible from your untrusted host to others in the DMZ. Btw, you loose zero IP, since your firewall can obviously NAT your host. If you cannot afford to use a dedicaced host for firewalling, you might like to try UserModeLinux. Setup firewall on the main box, and services on another that runs on a virtual machine. This is probably not best since it forces you reinstall many things and makes your conf non-too-standard. As a conclusion, trafic from the internet to that host should go through 2 firewalls. Trafic from that host to the DMZ should go through your additionnal firewall. Hope this is clear and helps, Vincent
Need an advise about isolating a host in the DMZ
Hi I have a host in my DMZ that has both anonymous ftp and pop3 ports open (this can't be changed). since I really don't trust this setup, I was thinking about ways to isolate this host so no one who break to this computer, can access other computers on the DMZ (although other computers should be able to access it). one obvious solution is to create a second DMZ, but that would cost me the lost of three ip's, so I'm trying to figure out ways to isolate him without putting it in another subnet. I thought about 2 solutions so far: 1. putting iptables on all the other computers in the DMZ. 2. connecting this host to another VLAN and set this configuration on the switch (I have to see if that's even possible). Does anybody have another/better solution? thanx -- Haim
Re: Need an advise about isolating a host in the DMZ
> "Haim" == Haim Ashkenazi <[EMAIL PROTECTED]> writes: Haim> Hi I have a host in my DMZ that has both anonymous ftp and Haim> pop3 ports open (this can't be changed). since I really Haim> don't trust this setup, I was thinking about ways to isolate Haim> this host so no one who break to this computer, can access Haim> other computers on the DMZ (although other computers should Haim> be able to access it). one obvious solution is to create a Haim> second DMZ, but that would cost me the lost of three ip's, Haim> so I'm trying to figure out ways to isolate him without Haim> putting it in another subnet. Haim> I thought about 2 solutions so far: 1. putting iptables on Haim> all the other computers in the DMZ. 2. connecting this host Haim> to another VLAN and set this configuration on the switch (I Haim> have to see if that's even possible). 3. user-mode-linux (user-mode-linux.sf.net); put each service in a seperate UML with tap interfaces to each UML with iptables making sure anyway breaking the service in a UML can't get out. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need an advise about isolating a host in the DMZ
On Wed, Dec 18, 2002 at 11:42:16AM +0200, Haim Ashkenazi wrote: > Hi > (...) > > I thought about 2 solutions so far: > 1. putting iptables on all the other computers in the DMZ. > 2. connecting this host to another VLAN and set this >configuration on the switch (I have to see if that's even >possible). If you setup another VLAN then you are setting another DMZ, and thus losing the 3 IP addresses anyway. The only difference being that both DMZs will be connected to the same switch. Question ¿who will do the routing between VLANs? > > Does anybody have another/better solution? These are not the best solution, just some more possibilities: 3.- Setup a bridge firewall and connect your DMZ servers to it. (i.e. remove the switch) 4.- add access control lists in the switch (if it allows you to) 5.- add outgoing firewall rules in the server (an intruder needs to root it to remove the rules, this might take some time if you have hardened it properly and followed 'least privilege' in the setup of the servers/services being offered). Of course the best solution would be a combination of all of them (notice that 2, 3 and 4 are mutually exclusive, I think). My 2c. Regards Javi msg08227/pgp0.pgp Description: PGP signature
RE: Need an advise about isolating a host in the DMZ
> Hi > > I have a host in my DMZ that has both anonymous ftp and pop3 > ports open > (this can't be changed). since I really don't trust this setup, I was > thinking about ways to isolate this host so no one who break to this > computer, can access other computers on the DMZ (although other > computers should be able to access it). one obvious solution is to > create a second DMZ, but that would cost me the lost of three ip's, so > I'm trying to figure out ways to isolate him without putting it in > another subnet. > > I thought about 2 solutions so far: > 1. putting iptables on all the other computers in the DMZ. > 2. connecting this host to another VLAN and set this >configuration on the switch (I have to see if that's even >possible). > > Does anybody have another/better solution? > > thanx > -- > Haim > If you're about to set up firewalling on all your hosts (and thats a good thing) do it also on the pop/ftp host :-). Run your services as non-root (maybe chroot, too) and NAT ports that are privileged so daemons can listen to them as non-root. This way, if anyone breaks in, they wont be root that easy and will hopefully find it much harder to break local firewall rules. One other thing you might like to do is to add a firewall just for that host, in the DMZ. All trafic from/to your untrusted host should travel through that additionnal firewall, and you could set it up so it lets no (or nearly) connection possible from your untrusted host to others in the DMZ. Btw, you loose zero IP, since your firewall can obviously NAT your host. If you cannot afford to use a dedicaced host for firewalling, you might like to try UserModeLinux. Setup firewall on the main box, and services on another that runs on a virtual machine. This is probably not best since it forces you reinstall many things and makes your conf non-too-standard. As a conclusion, trafic from the internet to that host should go through 2 firewalls. Trafic from that host to the DMZ should go through your additionnal firewall. Hope this is clear and helps, Vincent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Need an advise about isolating a host in the DMZ
Hi I have a host in my DMZ that has both anonymous ftp and pop3 ports open (this can't be changed). since I really don't trust this setup, I was thinking about ways to isolate this host so no one who break to this computer, can access other computers on the DMZ (although other computers should be able to access it). one obvious solution is to create a second DMZ, but that would cost me the lost of three ip's, so I'm trying to figure out ways to isolate him without putting it in another subnet. I thought about 2 solutions so far: 1. putting iptables on all the other computers in the DMZ. 2. connecting this host to another VLAN and set this configuration on the switch (I have to see if that's even possible). Does anybody have another/better solution? thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]