You've got the right idea. Implementing it isn't trivial though, and I wouldn't recommend putting all those eggs in one basket (on the same host), unless you use a "virtual" platform to do so.
I recommend you look into IPCop or pfSense for a firewall host. You can put IPCop on an old PII or PIII host. It only takes 128M of ram, and a 1G HDD would do fine. These distros are robust network service hosts (router/firewall/vpn/dhcp - you name it). BL, you really don't want your mail server (or any server for that matter) handling network security. Apply the KISS rule whenever possible. -- -Eric 'shubes' On 09/03/2012 01:52 PM, BC wrote: > > > This is probably over my head. > > From my reading about a "DMZ", that would require using a 3rd NIC on > the host machine, right? I have a mobo NIC that I'm not using > presently and could assign it an address of say, 10.10.0.1 (the LAN > is 10.0.0.1) > > Presently, everything that is running on the host machine is basically > attached to the 10.0.0.1 IP address in some way or another. For a > short time I experimented with tinydns and ran it on the 127.0.0.1 IP > on the host, but I don't use local dns hosting. > > > So, if I'm understanding you the proper way to do this would be like so: > > > _________ LAN (10.0.0.1) - all the > processes needed (dhcp, resolver), various Windows machines... > / > WAN (internet)/ > \ > \__________DMZ (10.10.0.1) - email server, > spamdyke, separate resolving cache > > > > Do I have this right? Then I'd punch a hole through the firewall > between 10.0.0.1 and 10.10.0.1 so I could do my email via the LAN? > > > > > > On 9/3/2012 11:00 AM, spamdyke-users-requ...@spamdyke.org wrote: >> Here's the thing. Your mail server should be on the DMZ subnet (I'm not >> sure of PF's terminology). That subnet has no access to dhcp or >> resolvers, for security reasons. I suppose you could punch a pinhole for >> DNS requests, but that sort of defeats the purpose. Since all hosts in >> the DMZ should use a resolver/recursor which is not on the (trusted) >> LAN, they can a) use their own, b) use a common one on the DMZ subnet >> (but preferably*not* an authoritative DNS host), or c) use one provided >> by an ISP or other service (OpenDNS and Google provide several free >> ones). The options are in order of efficiency, and probably preference >> as well for most cases. _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
