From owner-freebsd-questions Thu Mar 12 23:10:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA06764 for freebsd-questions-outgoing; Thu, 12 Mar 1998 23:10:07 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from dt050ndd.san.rr.com (@dt050ndd.san.rr.com [204.210.31.221]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA06631 for ; Thu, 12 Mar 1998 23:09:54 -0800 (PST) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt050ndd.san.rr.com (8.8.8/8.8.8) with ESMTP id XAA04341; Thu, 12 Mar 1998 23:09:39 -0800 (PST) (envelope-from Studded@dal.net) Message-ID: <3508DBB3.64899009@dal.net> Date: Thu, 12 Mar 1998 23:09:39 -0800 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-BETA-0312 i386) MIME-Version: 1.0 To: "Shin'ichiro Seto/OTESS, Inc." CC: questions@FreeBSD.ORG Subject: Re: Mail Server should be inside of ipfw ? References: <199803122314.PAA20938@otess.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Shin'ichiro Seto/OTESS, Inc. wrote: > > Hi folks, > > This is a kind of generic issue but I hope someone will give me an idea. You can get some good general help here. When you have a more concrete plan you might want to post it to freebsd-isp for review. At the same time (and please don't take this the wrong way) you should seriously consider hiring someone to help you with this. The cost of hiring a good consultant can be made up many times over the first time you have to go down there at 2am and spend hours recreating things from scratch. > I'm going to have two FreeBSD boxes at our customer site as Internet servers. Good choice. :) > One will be ipfw + proxy + dns, and the other one will be mail + web + dns. I hope that you are planning to put at least one mail and one dns server at a different location for backup. > I wonder if mail server exists inside of the firewall is better or outside. Your best bet would probably be to have an "outside" mail server that receives the mail and uses a smart relay host rule to pass it inside the firewall to the other machine that will pass out the actual mail. > If it were inside, crackers would attack the intranet through sendmail. This is not as much of a problem as it used to be, but it's a valid concern. > I don't know how but I'm saying a possibility. Also, the mail server will > be http server. This means that they could get into the intranet using > cgi program if the program were so stupid. Someone already mentioned your best bet would be to put the http server on the outside of the firewall and not put anything other than the bare essentials on it. > If it were outside, it'd be easier to crack down the mail server itself and > get the passwd file. See above. You want to avoid having any non-essential services on the firewall machine. > If anyone has same situation, please let me know which one is better and why. > Or, If I have to have a firewall program instead of ipfw to say "This site > has a firewall", please give me any idea on firewall. The ipfw that comes with freebsd should do everything you need for an operation like this. If you look at the /etc/rc.firewall script there are some good books recommended in there for you. Hope this helps, Doug -- *** Chief Operations Officer, DALnet IRC network *** *** Proud operator, designer and maintainer of the world's largest *** Internet Relay Chat server. 5,328 clients and still growing. *** Try spider.dal.net on ports 6662-4 (Powered by FreeBSD) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message