On Friday 20 Aug 2004 17:22 pm, John N. Alegre wrote:
Thanks to the help I got from the great SuSE gurus on this list I finally have my entire email system set up and debugged.
A little about my LAN.
I have 5 machines on the LAN. 4 of the machines POP mail from one server running SuSE Pro 9.1. This machine sends and receives mail via SMTP.
I am now ready to set up a firewall.
When I set up the firewall using YAST what settings to I have to make to do these things .....
Allow the SuSE box to still send and receive mail with SMTP ... Allow all the other 4 machines to send mail to the mail server over the LAN .. Allow NFS to work between the 5 machines on the LAN ... Allow all the other 4 machines to access a yet to be set up MySQL database over the LAN ...
This very much depends on how your network is set up... does the server act as a gateway: WEB --- SERVER --- switch --- clients or are all 5 boxes directly connected to your ?ADSL router? if the former then you tell YaST which is the internal and which the external interface, have it only protect the external interface, and open the port for SMTP. To be honest, that's by far the best way to set it up - you only have one firewall to configure and it protects the whole network. Also, there is much less chance of opening unforeseen holes in making nfs and mysql available.
All machines are set up with static IPs and have properly configured /etc/hosts files in place. Other then mail in and out via SMTP, I want the SuSE box closed to the net.
By default SuSEfirewall2 will block all incomming connections except those you explicitly allow and those which are responses to outgoing connections. I also take it that your external connection is doing NAT of some kind, which means that unless the device can associate an incomming packet with an outgoing connection it can't pass it into the network unless you have configured it to do so. In practical terms though, if all 5 boxes are connected to the ADSL router then you cannot garuntee that the server will be closed to the web as you will have to open holes in the firewall to allow your services to function. HTH Dylan -- "I see your Schwartz is as big as mine" -Dark Helmet