| LeRoy Cressy on Wed, 29 Jan 2003 16:34:30 -0500 |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Concerning the question about being safe with your configuration I would be petrified without a firewall. You can do what I did and set up an old P75 box as a NAT firewall and router. My logs on the firewall reflect a contant barage from sniffers, port scans, and some attempting to ssh into one of my boxes. The configuration that you are currently using doen not block any ports or whatever. This is very bad. You should block everything from the Internet except what you specifically want to allow. The configuration that I use is: +----------+
| DSL |
+----------+
|
|
+----------+ DMZ +------------+
| Firewall |--------->| Switch |
+----------+ LAN +------------+
|
|
| Workstation +------------+
+--------------->| Switch |
LAN +------------+You can set up your DMZ servrers to handle Mail, POP, Apachie and anything else that you want to be accessed from the Internet. The trick is that you do not allow any traffic from the DMZ to go to the workstations, but on the otherhand you can allow the workstations to have access to the DMZ. Thus with a configuration like this the only thing that the Internet sees is the DMZ. They cannot see the Workstation side. Also, on the security aspect I would remove the telnet package from any machine that has access to the Internet. I would close every port possible. For instance this past weekend I dropped a number of packets that were from the Microsoft SQL worm. In my firewall I have 3 ethernet cards with each assigned its own IP address. Also the firewall becomes the gateway for the 2 internal lans. With the configuration of connecting the switch directly to the DSL you are in the position of creating firewall code for each server. This sounds like a lot of work. epike@isinet.com wrote: hi list, couple of dsl questions: - -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ < gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQE+OEhnP+/m2oUBr+oRAmgbAKCJKH1E1r4bJqGKYWo1Gb+zMNY8PgCfeoYJ 0LBY6LZNciNphhZgG2B1c5M= =3jrR -----END PGP SIGNATURE----- _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|