It all depends on how big you network is, and what design you have currently. If you are running a bastion host style network, with a firewall running proxies for everything (which is what you have by the sounds of it) You can tell BIND to only attach to one IP address (ie. your internal interface on your firewall) and it will still be able to do lookups externally, jut not answer requests from external clients. (this is what you want) Squid can also be bound only to the internal interface, as can SMTPD (http://www.obtuse.com/smtpd.html) and/or sendmail. Also take a look at xinetd for an interface capable inetd replacement. End result is that you can have a box offering a hell of alot of services internally but having all ports closed on the external interface. This negates the need to have ipchains rules etc.. (You should use them anyway, as a 3rd layer of security) (The second layer being tcp wrappers. Even ssh and sendmail are compiled with libwrap support on suse) HTH Nix At 01:22 PM 15/11/2000 +0100, you wrote:
Hi Nix
Just read your reply to the DNS matter. I've got this problem: Some services (pop smtp in my case) go through my ipchains filter because I don't see a way to let them go over a proxy. All these services need dns. Is there a way to have dns run over a proxy while pop, smtp is still going through a paketfilter?
And, is there a way to control port 25 and 110 on a ipchains filter? Some IDS software maybe?
Thanx Philipp
Hello,
i have a question about DNS-Server connections.
We have an prim. DNS-Server behind a Firewall with packetfiltering. In my rules i allow all hosts to connect from an port over 1023 to the DNS-Server port 53, the porblem where i have is than many Hosts (WAN) try to connect our DNS-Server vom port 53 to our port 53.
Is it nessesary to open also lower port 53 from the
DNS-Server port 53, or shoud i reject connections where use a port-adr. lower
At 11:47 AM 15/11/2000 +0100, you wrote: source-adr. to the then 1023 as
source-port. NO NO NO.. Don't ever filter based on source port as that can be set arbitrarily!!!
You should run separate dns caches on each segment of your network as it is only server -> client replies that use weird ports. server -> server stuff is all port 53. That means that you can happily filter based on destination port on all your differerent firewalls, and just leave the last jump to your client machines "unfirewalled"
Email me back if you want further specifics, as secure network design is a BIIIG issue.
HTH
Cheers
Nix
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com