From owner-freebsd-questions Mon Aug 18 08:01:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA26257 for questions-outgoing; Mon, 18 Aug 1997 08:01:41 -0700 (PDT) Received: from BIGFUN.vwcom.com ([151.197.101.21]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA26252 for ; Mon, 18 Aug 1997 08:01:36 -0700 (PDT) Received: from WillsCreek.COM (gw.willscreek.com [151.197.101.46]) by BIGFUN.vwcom.com (8.8.6/8.8.6) with ESMTP id KAA02879 for ; Mon, 18 Aug 1997 10:56:43 -0400 (EDT) Received: from current.willscreek.com (root@current.willscreek.com [172.16.87.1]) by WillsCreek.COM (8.8.5/8.7.3) with ESMTP id HAA03736 for ; Mon, 18 Aug 1997 07:51:03 -0400 (EDT) Received: (from bmc@localhost) by current.willscreek.com (8.8.5/8.7.3) id HAA00360; Mon, 18 Aug 1997 07:50:55 -0400 (EDT) Date: Mon, 18 Aug 1997 07:50:55 -0400 (EDT) Message-Id: <199708181150.HAA00360@current.willscreek.com> From: Brian Clapper MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: questions@FreeBSD.ORG Subject: Re: sendmail on a firewall box In-Reply-To: <62646535@toto.iv> X-Mailer: VM 6.23 under Emacs 19.34.1 Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jerry Kelley wrote: > This is probably a loaded question and I'd bet that I'll get responses > on both sides but I'm going to ask this question anyway: > > 1) is it a major security hole to run sendmail on a firewall box? > > Okay, there, I said it. In the economy of a small business, it is not > always practical to have several servers providing services such as > firewalling and mail hosting. So, for my business, I want to set up a > FreeBSD box to act as the Internet access point and provide things like > DNS, mail hosting, NTP, and firewalling. I really don't have the dollars > to build a separate box for the firewall although I know that security > purists will frown and make some comments that security isn't cheap > anyway. > > I just want one box that provides the services to my small LAN. I want > that box to be the mail host for my company and also provide a > firewall/proxy service. > > Am I asking for too much? No, you're not. Putting *something* in place is better than not having anything at all--provided you're aware of the limitations of your solution. If you're going to run sendmail on a firewall box, though, you might consider wrapping it in the `smap' wrapper that comes with the firewall toolkit. See http://www.tis.com/ for pointers to the firewall toolkit; it's free. Also, read through these two books for information on how to secure your firewall box more effectively: Building Internet Firewalls Brent Chapman and Elizabeth Zwicky O'Reilly & Associates, Inc ISBN 1-56592-124-0 http://www.ora.com/ Firewalls & Internet Security Repelling the wily hacker William R. Cheswick, Steven M. Bellowin Addison-Wesley ISBN 0-201-6337-4 http://www.awl.com/ ----- Brian Clapper, bmc@WillsCreek.COM, http://WWW.WillsCreek.COM/ Conceit causes more conversation than wit. -- LaRouchefoucauld