Hello,
at the moment I have the following Setup:
<- ASCII PIC ->
Is it possible to have all public ip´s connected to the firewall´s ethernet device from which they are routed to the webserver and proxy(and the clients on the internal network as well). My approach is to have only the firewall directly connected to the internet and to give even the web-/mailserver and the proxy only internal ip adresses. I think this would be more secure?!
If I've undestood everything right, you've done a wrong graphic. Your system seems to be: Internet | | Cisco Router | |---------------------------------------------- | | | Firewall(SuSE 6.2) Webserver(SuSE 6.3) Proxy (SuSE 6.3) Mailserver | | --- internal network This system is really open to any attacks, so it seems to be an good idea, to masquerade ALL systems behind the packet filter. You can do some things... 1. You can add the IP Adress from the Web/Mail-Server to the world-IF of the packet filter. 2. Perhaps it's a good idea to do static NAT for the web/mail Server, otherwhise you can only redirect the ports 80/25 (443/110 if extern used) to the web/mail System.... 3. Configure the Proxy to Packet-Filter and Masquerade to an other internal IP, conneted to the Firewall 4. Many more possibilities... Internet | | Cisco Router | |word-ip Firewall(SuSE 6.2) |192.168.1.1 | |---------------------------- WWW/POP/SMTP |192.168.1.0/24 192.168.1.100 | | |192.168.1.200 Proxy (SuSE 6.3) |192.168.2.254 | | /-------------/ INTERNAL NET 192.168.2.0/24 Just an standard solution... b.t.w. The Packet Filter "ipchains" from Linux is NO firewall, it's a packet filter. A usable firewall needs application layer and stateful inspection, too. By combining the diffent freeware tools (inc. ipchains) you can configure a nearly complete firewall. The new 2.4 Kernel "iptables" will have functions for stateful inspection. Greetings, Oliver Grube * Reverse Hacking: root-Passwort is "./mmG8-n", find the right system... ******************************************** iT_SEC - enabling trusted ebusiness ******************************************** iT_SEC Deutschland GmbH Dünner Straße 247, 41066 Mönchengladbach Telefon: 02161/6897-0, Fax: -199 http://www.de.it-sec.com Wir freuen uns auf Ihren Besuch auf der infosecurity 2000 in Frankfurt vom 31.10.- bis 2.11.2000, Halle 6 Systems 2000 in München vom 6.11.-10.11.2000 Halle C3. 121