OK, but how does the network setup look on the webserver? I envisioned
something like:
IP=192.168.1.100
Mask=255.255.255.0
GW=192.168.1.2 (eth2 on LEAF box)
How would SMTP know to forward to the ISA server?
I guess I could point the SMTP server on the protected box to point to the
external interface of the ISA server, who would be listening for SMTP
traffic from that IP. {guess I just answered my own question}
BTW, ISA = Microsoft Internet Security Acceleration Server 2000
If I set up the LEAF server as a more typical setup with a different
subnet
for the DMZ, the default rules would not allow communication to the
protected network (eth1 internal) right? Internal could initiate
communications with the DMZ, but not vise versa, correct? That was what I
was going to do initially, but was pretty sure it would fail. If this is
a
better way, perhaps I could craft some rules that said essentially, the
only
traffic that could be routed to the internal network is SMTP traffic and
ISA
message filter DCOM traffic.
This all makes sense, until I get to the end, where you indicate you want to
push SMTP (and other) traffic to your internal net. The whole point of
having a screened subnet or DMZ is to keep public servers *OUT* of your
internal net. It's almost always possible to restructure a network that
requires inbound connections so that inbound connections are only permitted
on the DMZ.
Back to the screened subnet, all on the same subnet as first described.
So
any inbound comm allowed would head to the internal network, and then be
forwarded based on rules (i.e. web trafic to this IP, SMTP to that IP,
etc.
The second firewall (ISA) would then decide whether or not to allow
inbound
to the real internal network. For example, I also want to setup a VPN
eventually. The access would be allowed/denied from the ISA server who
would have access to Active Directory domain info. Again, all forwarding
could be accomplished by rules at the LEAF box.
Does that sound like I am on the right track?
It's really hard to tell...it sounds like you're running an e-mail server
BEHIND the ISA, on your internal net. If so, this is a *REALLY BAD IDEA*,
and pretty much defeats the whole purpose of a screened subnet architecture.
Your comments about VPN, however, are correct...you could easily setup the
ISA to be a VPN gateway for the real internal subnet. BTW: What you
refer to as internal network above (the network between the Dachstein box
and the ISA) should be called the screened subnet, although you'll still
have to use the INTERN_* variables in network.conf to configure it :-/
If you don't have a copy already, pickup O'Reilly's Building Internet
Firewalls and take a look at chapter 6, Firewall Architectures. It's an
excellent resource when trying to design safe network architectures, and
includes excellent (and very readable) descriptions of architectures that
work, and archectures to avoid (often for subtle, non-obvious reasons).
If you want general advice from the list, you're going to have to provide a
lot more detail about exactly what you're trying to accomplish...I've tried
to make what comments I could, but it's hard trying to read between the
lines and figure out what services you're running where...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user