Re: Down the MPD road

From: Michael Collette (metrol_at_metrol.net)
Date: 05/12/03

  • Next message: Omar Lopez: "OpenSSH-portable <= 3.6.1p1 bug?" 
    To: FreeBSD Security <freebsd-security@FreeBSD.org>
Date: Mon, 12 May 2003 13:04:24 -0700

    On Saturday 10 May 2003 01:48 pm, Olivier Cherrier wrote:
    > > > Here is where we descend into Windows-bashing. For some STUPID
    > > > reason, when a Windows box connects to a VPN via PPTP, the Windows
    > > > box's default route is adjusted to go through the VPN connection.
    > > > This is fortunately fixable (Windows has a ROUTE command), but it
    > > > requires your users to have half a clue:
    > > >
    > > > route delete 0.0.0.0
    > > > route add 0.0.0.0 mask 0.0.0.0 gateway <ISP gateway> metric 1
    > > > route add [InsideNetwork] mask [InsideMask] gateway
    > >
    > > [far end of VPN
    > >
    > > > tunnel] metric 1
    > >
    > > I cannot test this right now, so it is quite probable that you are
    > > right, but couldn't this be controlled by the Properties >> Networking
    > >
    > > >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >>
    > > >> Use default gateway on remote network?
    >
    > Yes, this checkbox allows to NOT route all the traffic to the
    > VPN server. No need of 'route delete, route add ...' scripts.

    I did this, and it does correct the immediate problem. Of course, it also
    creates a new glitchy.

    My mail server sits in the DMZ, which is of course on a different subnet than
    the secure network. I'm bringing in those outside users directly into the
    secure network, as they very definitely need resources from there.

    Without being able to configure routing from the secure network, those users
    can't route to the DMZ. In that DMZ I have pop3 and ldap restricted to
    internal use only, while SMTP is opened up wide. The problem compounds a bit
    when dealing with SMTP securities which is presently configured to restrict
    relaying to only those IPs that we own.

    So, the firewall prevents pop3 and ldap, while the mail server itself
    restricts the relaying. Unless the user is able to route to this server via
    the internal network this dog just don't hunt.

    Is there perhaps some part of this I'm missing?

    Thanks, 

    -- 
"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark 
to read."
 - Groucho Marx
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Omar Lopez: "OpenSSH-portable <= 3.6.1p1 bug?"

    Relevant Pages

    • Re: Mail Server in the DMZ question
      ... > to come from the DMZ into the secure network didn't seem right. ... > mail in the DMZ then request it down into the secure network. ... All UUCP offers is that it's a "pull" technology, ...
      (FreeBSD-Security)
    • Mail Server in the DMZ question
      ... At present I have an SMTP server in my DMZ that is simply re-routing ... mail into my secure network. ... proceeding request for that data. ...
      (FreeBSD-Security)
    • Re: Is NFS export r/o safe from lan to dmz?
      ... recall nfs/portmapper having a somewhat questionable early security ... Every protocol on which the DMZ can ... contact the secure network is a ready-made attack vector for anyone who ...
      (Debian-User)