From owner-freebsd-questions@FreeBSD.ORG Sun Mar 13 11:24:07 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D0C416A4CE for ; Sun, 13 Mar 2005 11:24:07 +0000 (GMT) Received: from hosea.tallye.com (joel.tallye.com [216.99.199.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE7EE43D1D for ; Sun, 13 Mar 2005 11:24:06 +0000 (GMT) (envelope-from lorenl@alzatex.com) Received: from hosea.tallye.com (hosea.tallye.com [127.0.0.1]) by hosea.tallye.com (8.12.8/8.12.10) with ESMTP id j2DBO5UQ020144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 13 Mar 2005 03:24:05 -0800 Received: (from sttng359@localhost) by hosea.tallye.com (8.12.8/8.12.10/Submit) id j2DBO4fL020142; Sun, 13 Mar 2005 03:24:04 -0800 X-Authentication-Warning: hosea.tallye.com: sttng359 set sender to lorenl@alzatex.com using -f Date: Sun, 13 Mar 2005 03:24:04 -0800 From: "Loren M. Lang" To: BSD Mail Message-ID: <20050313112404.GJ18080@alzatex.com> References: <8be663db05031303151d97a0e3@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Ah9ph+G2cWRpKogL" Content-Disposition: inline In-Reply-To: <8be663db05031303151d97a0e3@mail.gmail.com> User-Agent: Mutt/1.4.1i X-GPG-Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc X-GPG-Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C cc: FreeBSD-questions@freebsd.org Subject: Re: To Jail behind NAT or not. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2005 11:24:07 -0000 --Ah9ph+G2cWRpKogL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 13, 2005 at 03:15:57AM -0800, BSD Mail wrote: > Greetings all, >=20 > I have the following topology: >=20 > Internet ----- Gateway ----- DMZ=20 > | > LAN >=20 > I'm using PF to redirect traffic to the DMZ machine which carries the fol= lowing: >=20 > bind9;postfix;dovecot(imaps,pop3s),openwebmail;apache13;isc dhcp;sfs,ftps > I have ssl certs for services such as mail/web/ftp. >=20 > The gateway machine has 3 NICs and doesn't have any service enabled on > its external interface nor internal. Remote access is denied to the > gateway only console access allowed. It only forwards traffic to the > inside DMZ. Also my LAN is on a different subnet > from the DMZ. >=20 > If all my services are behind that NAT box is it premature or too much > paranoid to have multiple jails one for postfix another for apache and > so on..on the DMZ machine that is hosting all these services ? Or can > I say that I'm protected to a good extent that jail won't give me any > additional protection because services are behind NAT ? An NAT router doesn't protect against buffer overflows in apache or postfix, or any other number of bugs that they may have. All nat really does is prevents someone from trying to connect to arbitrary ports of arbitrary machines behind the router that aren't being forwarded inside, but it doesn't protect the ports that are forwarded like http to your dmz machine. >=20 > I use SSH keys to access anymachin on my network, and I have OTP > configured if I needed access from outside my network for college. >=20 > Thanks for the insight. >=20 > --=20 > Regards, > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" --=20 I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 =20 --Ah9ph+G2cWRpKogL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCNCLUbTXoRwEYo9IRAorgAJ9IX7LxSnAX3XMEq0AiPL6Nzqsr+wCff5u9 b3oBD3RMTzNzsA5OkGF8fRI= =JkEE -----END PGP SIGNATURE----- --Ah9ph+G2cWRpKogL--