DMZ shortcuts? Is there a how-to?

From: Jared (jared@hwai.com)
Date: 11/13/02 

From: jared@hwai.com (Jared)
Date: 13 Nov 2002 09:27:25 -0800

I am looking at dedicating an old laptop as a standalone firewall. As
it currently has Mandrake 9.0 on it I figure I will remove everything
except what iptables and named need to run. As I am familiar with
bastille-firewall.cfg I intend to continue using the Bastille script
unless there is a good reason not to. The laptop would run a DNS
server and iptables, and pass all other requests along to another
machine. I will, of course, chroot DNS.

After being rootkitted twice in three months, one of the main goals I
am trying to achieve is to minimize access to privileged ports. The
only one I *think* I have to allow is UDP 53 for DNS. My question is
how, for example, can I redirect a request to port 25 to a
non-privileged port (e.g., 3025), send that to the mail server, and
have that request changed back to port 25? Same question for port 443
(so I can get at Squirrelmail), though I imagine the process is
analaogous. I am running a mail server and a web server for outside
access (and, when clients don't clamp down on all the ports, SSH as
well, but that is trivial to put on a non-privileged port).

I am curious on a number of issues:

On the internal server side (separate server from the firewall), would
I have to chroot postfix and httpd anyway?

Is the secure way to do this without hanging the mail/web server off a
separate NIC, to create a DMZ? If so, I guess I can't use a laptop as
I would need three NIC's, would I not?

Does Bastille support unrelated subnets? E.g., 192.168.nnn.nnn for
desktops and 172.16.nnn.nnn for DMZ. If I could do that, would I be
able to set up a virtual DMZ without buying additional hardware?

I am sure there are questions I should be asking but don't know enough
to. I would greatly appreciate feedback and suggestions from those
more experienced in these matters.

Thank you.

Best regards,

Jared

Relevant Pages

  • Re: RWW/Port 4125 Problems
    ... The RWW filter for port 4125 ... Since it hasn't go into ISA Server management and be sure the ... > filter Port 4125 is present AND enabled. ... I checked as you suggested by hooking a laptop to ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW/Port 4125 Problems
    ... If your router has extra ports on it hook a laptop up and Https to the ... hook laptop up to the external NIC with a crossover cable and using Static ... BTW if you are trying to RWW from an ISA server ... I've got my router open for port ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant connect a client - "Acquiring network address"
    ... Why are you adding this visitor to your domain if he only needs Internet ... you only have a single NIC that is active in your SBS server. ... Have you tested the Ethernet cable, jack, switch port and/or router port for ... If you plug the laptop directly into a port on the ...
    (microsoft.public.windows.server.sbs)
  • Re: vnc ssh tunnel problems
    ... >The laptop can establish a VNC connection to the VNC server running on the ... >I would like to tunnel the VNC connection through the SSH server. ... Forward the local port 5900 on the ...
    (comp.security.ssh)
  • Re: vnc ssh tunnel problems
    ... >The laptop can establish a VNC connection to the VNC server running on the ... >I would like to tunnel the VNC connection through the SSH server. ... Forward the local port 5900 on the ...
    (comp.security.ssh)