Mailinglist Archive: opensuse-security (423 mails)

< Previous Next >
Re: [suse-security] AW: Squid on Firewall?
Hi,

On 28 Mar 2001, at 7:32, Ashley wrote:

> I'm still learning. Can you clearify for me about dns on your packet
> filter? What I gather from your ideal here is this:
>
There are three different scenarios: the first one is the (probably
more common) situation where a private network behind a firewall
has workstations that need to be connected to the internet. The
second is one or more servers that need to be accessible from the
internet. The third one is the server that needs to be accessible
from the internet and the private network. All three scenarios have
different requirements to the firewall.

> - no nameserver runs on the filter.
> - the resolver on the filter does not point to internal (or DMZ even)
> nameservers.
> - /etc/hosts on filter lists localhost only.
>
That is right for the first scenario.

> Does the packet filter need access to any nameservice at all?
>
I cannot see any reason why the packet filter needed DNS access
from the security point of view. It might be convenient to resolve IP
adresses of the log files, but that reduces security if it is done on
the packet filter.

There are even other things to be considered. Like for some
installations it may be a requirement that the access to or from the
internet must not be interrupted. In such cases an intruder with root
rights must not have access to commands like rm, umount,
shutdown, etc. This may not be too difficult for an installation with
24x7 onsite service as such commands can be kept on a removable
medium that is only plugged in and mounted when needed, but to
remotely adminstrate such a system requires intensive preparations
like a remote controlled medium loader. In other installations it may
be convenient at a trace of a breakin to automatically shutdown the
firewall computer as the integrity of the internal data may be more
valuable as the permanent internet access.

mike


< Previous Next >
Follow Ups