Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Mar 2005 03:24:04 -0800
From:      "Loren M. Lang" <lorenl@alzatex.com>
To:        BSD Mail <bsdmail@gmail.com>
Cc:        FreeBSD-questions@freebsd.org
Subject:   Re: To Jail behind NAT or not.
Message-ID:  <20050313112404.GJ18080@alzatex.com>
In-Reply-To: <8be663db05031303151d97a0e3@mail.gmail.com>
References:  <8be663db05031303151d97a0e3@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--Ah9ph+G2cWRpKogL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Mar 13, 2005 at 03:15:57AM -0800, BSD Mail wrote:
> Greetings all,
>=20
> I have the following topology:
>=20
>  Internet ----- Gateway ----- DMZ=20
>                        |
>                      LAN
>=20
> I'm using PF to redirect traffic to the DMZ machine which carries the fol=
lowing:
>=20
> bind9;postfix;dovecot(imaps,pop3s),openwebmail;apache13;isc dhcp;sfs,ftps
> I have ssl certs for services such as mail/web/ftp.
>=20
> The gateway machine has 3 NICs and doesn't have any service enabled on
> its external interface nor internal. Remote access is denied to the
> gateway only console access allowed. It only forwards traffic to the
> inside DMZ. Also my LAN is on a different subnet
> from the DMZ.
>=20
> If all my services are behind that NAT box is it premature or too much
> paranoid to have multiple jails one for postfix another for apache and
> so on..on the DMZ machine that is hosting all these services ? Or can
> I say that I'm protected to a good extent that jail won't give me any
> additional protection because services are behind NAT ?

An NAT router doesn't protect against buffer overflows in apache or
postfix, or any other number of bugs that they may have.  All nat really
does is prevents someone from trying to connect to arbitrary ports of
arbitrary machines behind the router that aren't being forwarded inside,
but it doesn't protect the ports that are forwarded like http to your
dmz machine.

>=20
> I use SSH keys to access anymachin on my network, and I have OTP
> configured if I needed access from outside my network for college.
>=20
> Thanks for the insight.
>=20
> --=20
> Regards,
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"

--=20
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: CEE1 AAE2 F66C 59B5 34CA  C415 6D35 E847 0118 A3D2
=20

--Ah9ph+G2cWRpKogL
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCNCLUbTXoRwEYo9IRAorgAJ9IX7LxSnAX3XMEq0AiPL6Nzqsr+wCff5u9
b3oBD3RMTzNzsA5OkGF8fRI=
=JkEE
-----END PGP SIGNATURE-----

--Ah9ph+G2cWRpKogL--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050313112404.GJ18080>