Hi,

I think you should install a second firewall. Maybe you should use the following model:

INTERNET---FW1---(DMZ, with Webserver)---FW2---LAN

You should be able to update your websites from the lan via ftp, without getting intrused by someone of the Internet.
Maf king wrote that you should use iptables. Thats right, because of the real NAT which you can enable at FW1. At this point you can redirect incoming connections to port 80 to the webserver in the DMZ. The other ports can be closed if you do not need to use them. At FW2 you can enable NAT to the webserver via iptables.

THX, have much fun.

MfG.

Stefan Walther
stefan_walther@gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961




Hi A.M.

On 2001.09.08 15:17:46 +0100 A. Meinerzhagen wrote:
> Hi, List.
>

>
> Is there a save way other than sftp/scp to let people update their
> webpages?
> Clients are using lots of Windows-Computers. After an Intrusion last
> week
> we don't like the idea anymore, that people use ftp to put their pages
> on the server.

Can't think of anything easy... are all your users going to update from
inside your LAN, or do thay have to update over the internet?  

One soloution I have seen to this problem is a temporary FTP password :
something like
1. you email the server,
2. a pasword is generated and is only valid for one hour
3. password emailed back to the user.
Not great, but cracker has less time when she can intrude your box.


>
> Does it make sense, with our setup, to use SuSE Firewall at all?
> Setup is :
>

IMHO, it nearly always makes sense to firewall - layers of security make it
harder for a bad guy to get anywhere even if he breaks into one box...


> WWW---->FW---->(eth0) Webserver (eth1)<--->LAN
>        ^
> |                                           ^
>         |------------------------v-----------------|
>
> Weird, I know. Incomming Traffic will go throug FW, but outgoing not.
>
> The Webserver-machine runs two instances of apache, to serve
> the www-pages and the local www-pages. That's the reason for the
> two NIC's.  But by design we have to look at both NIC's as hostile
> Networks, because any computer is connected any time to the Inter-
> net (University). If using the Firewall, how would a setup look like?
> Or better IPChains? And what would the Rules be ? We are serving
> only ports 80, 443, and 22 (http, https, ssh) to the "outside" and at
> the moment to the "inside" also. If people would insist to use ftp
> from inside, what then ?
>

I'm not sure how you gain anything by having 2 NICs on the same LAN, to my
eyes, you seem to be making things too complicated...

If you are using kernel 2.4.x, try iptables - it is more flexible than
ipchains

SuSE firewall basically makes rules for ipchains / iptables so one isn't
"better" than the other, they use different ways to do the same thing.
Given your unusual set-up (but fairly simple needs), I think you would be
better to roll your own using iptables (sorry, Marc ;-) )

Have a look at the HOWTO at http://netfilter.samba.org for some iptables
ideas.

HTH,
Maf.

>
> Thanks in advance,  A. Meinerzhagen
>

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maf. King
Standby Exhibition Services
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"It is easier to do a job right than to explain why you didn't."

- Martin Van Buren

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com