Hello, at the moment I have the following Setup: Internet | | Cisco Router | | Firewall(SuSE 6.2) -- Webserver(SuSE 6.3) -- Proxy (SuSE 6.3) Mailserver | | --- internal network The firewall serves as a packet filter. The Web-/Mailserver and the Proxy are each connected via an public ip. The clients from the internal network are all masqueraded with the proxy ip, even if one of the clients do not use the proxy. Is it possible to have all public ip´s connected to the firewall´s ethernet device from which they are routed to the webserver and proxy(and the clients on the internal network as well). My approach is to have only the firewall directly connected to the internet and to give even the web-/mailserver and the proxy only internal ip adresses. I think this would be more secure?! Sorry for my bad english and my (not) understanding of firewalls and security! Thanks in advance Dustin
Hello,
at the moment I have the following Setup:
<- ASCII PIC ->
Is it possible to have all public ip´s connected to the firewall´s ethernet device from which they are routed to the webserver and proxy(and the clients on the internal network as well). My approach is to have only the firewall directly connected to the internet and to give even the web-/mailserver and the proxy only internal ip adresses. I think this would be more secure?!
If I've undestood everything right, you've done a wrong graphic. Your system seems to be: Internet | | Cisco Router | |---------------------------------------------- | | | Firewall(SuSE 6.2) Webserver(SuSE 6.3) Proxy (SuSE 6.3) Mailserver | | --- internal network This system is really open to any attacks, so it seems to be an good idea, to masquerade ALL systems behind the packet filter. You can do some things... 1. You can add the IP Adress from the Web/Mail-Server to the world-IF of the packet filter. 2. Perhaps it's a good idea to do static NAT for the web/mail Server, otherwhise you can only redirect the ports 80/25 (443/110 if extern used) to the web/mail System.... 3. Configure the Proxy to Packet-Filter and Masquerade to an other internal IP, conneted to the Firewall 4. Many more possibilities... Internet | | Cisco Router | |word-ip Firewall(SuSE 6.2) |192.168.1.1 | |---------------------------- WWW/POP/SMTP |192.168.1.0/24 192.168.1.100 | | |192.168.1.200 Proxy (SuSE 6.3) |192.168.2.254 | | /-------------/ INTERNAL NET 192.168.2.0/24 Just an standard solution... b.t.w. The Packet Filter "ipchains" from Linux is NO firewall, it's a packet filter. A usable firewall needs application layer and stateful inspection, too. By combining the diffent freeware tools (inc. ipchains) you can configure a nearly complete firewall. The new 2.4 Kernel "iptables" will have functions for stateful inspection. Greetings, Oliver Grube * Reverse Hacking: root-Passwort is "./mmG8-n", find the right system... ******************************************** iT_SEC - enabling trusted ebusiness ******************************************** iT_SEC Deutschland GmbH Dünner Straße 247, 41066 Mönchengladbach Telefon: 02161/6897-0, Fax: -199 http://www.de.it-sec.com Wir freuen uns auf Ihren Besuch auf der infosecurity 2000 in Frankfurt vom 31.10.- bis 2.11.2000, Halle 6 Systems 2000 in München vom 6.11.-10.11.2000 Halle C3. 121
Hi,
[...] b.t.w. The Packet Filter "ipchains" from Linux is NO firewall, it's a packet filter. A usable firewall needs application layer and stateful inspection, too. By combining the diffent freeware tools (inc. ipchains) you can configure a nearly complete firewall. The new 2.4 Kernel "iptables" will have functions for stateful inspection.
Greetings, Oliver Grube
a short newbie question: which freeware tools should I use to setup a "nearly complete" Firewall and why do I need application layers for a simple network setup with only www, ssh and smtp configured? Thanks in advance * * Ihr Formel4-Team * mailto:info@formel4.de * --- Viren machen auch etwas Nützliches, z.B. Windows löschen.
Hi,
[...] b.t.w. The Packet Filter "ipchains" from Linux is NO firewall, it's a packet filter. A usable firewall needs application layer and stateful inspection, too. By combining the diffent freeware tools (inc. ipchains) you can configure a nearly complete firewall. The new 2.4 Kernel "iptables" will have functions for stateful inspection.
a short newbie question:
which freeware tools should I use to setup a "nearly complete" Firewall and why do I need application layers for a simple network setup with only www, ssh and smtp configured?
Sorry, 've possible used wrong words... A usable firewall does three things: 1. Packet filter to allow/deny IP packages from different sources 2. Stateful Inspection to control the status of an connection 3. Application Layer Filer to filter malicious code from e-Mails, www, ftp and other services 1. Use "ipchains" 2. Use "iptables" (Kernel 2.4) 3. Use Squid for Proxy, SuSE's ftp-proxy, SMTPWDD, AVP and other tools 4. There's no possibility to filter for malicious code in crypted IP-Packages (ssh, ssl, ipsec etc.) Yours, Oliver Grube * Reverse Hacking: root-Passwort is "./mmG8-n", find the right system...******************************************** iT_SEC - enabling trusted ebusiness ******************************************** iT_SEC Deutschland GmbH Dünner Straße 247, 41066 Mönchengladbach Telefon: 02161/6897-0, Fax: -199 http://www.de.it-sec.com Wir freuen uns auf Ihren Besuch auf der infosecurity 2000 in Frankfurt vom 31.10.- bis 2.11.2000, Halle 6 Systems 2000 in München vom 6.11.-10.11.2000 Halle C3. 121
ar> 3. Use Squid for Proxy, SuSE's ftp-proxy, SMTPWDD, AVP and other tools 4. What about FWTK from TIS? mfg ar --- Und nun der Footer! ----------------- PLEASE send mails *only* in pure ASCII, no vCards, attaches in non-proprietary portable formats! Thanks! ----------------------------------------- mailto:andreas@rittershofer.de http://www.rittershofer.de ----------------------------------------- PGP-Public-Key http://www.rittershofer.de/ari.htm -----------------------------------------
Hi,
3. Use Squid for Proxy, SuSE's ftp-proxy, SMTPWDD, AVP and other tools 4.
What about FWTK from TIS?
I'm not sure. I've never used it, but I've thought, that FWTK is an Frontend for ipchains, combined with some other features to make a system harder... Let's have a look on www.tis.com "The FWTK is a licensed, freely available set of tools for building internet firewalls." But there seems to be another (private) problem: Do you trust NSA? Network Assosiates works with them and TIS is merged with NA... OK, but you're right. There are a lot of other tools out there which should mentioned above... Greetinx, Oliver Grube * Reverse Hacking: Das root-Passwort ist "./mmG8-n", finde den passenden Rechner... ******************************************** iT_SEC - enabling trusted ebusiness ******************************************** iT_SEC Deutschland GmbH Dünner Straße 247, 41066 Mönchengladbach Telefon: 02161/6897-0, Fax: -199 http://www.de.it-sec.com Wir freuen uns auf Ihren Besuch auf der infosecurity 2000 in Frankfurt vom 31.10.- bis 2.11.2000, Halle 6 Systems 2000 in München vom 6.11.-10.11.2000 Halle C3. 121
ar> >What about FWTK from TIS? ar> ar> I'm not sure. I've never used it, but I've thought, that FWTK is an ar> Frontend for ipchains, combined with some other features to make a ar> system harder... No, it's an application level gateway with proxies for every service. ar> Do you trust NSA? ar> Network Assosiates works with them and TIS is merged with NA... You get the source code ... mfg ar --- Und nun der Footer! ----------------- PLEASE send mails *only* in pure ASCII, no vCards, attaches in non-proprietary portable formats! Thanks! ----------------------------------------- mailto:andreas@rittershofer.de http://www.rittershofer.de ----------------------------------------- PGP-Public-Key http://www.rittershofer.de/ari.htm -----------------------------------------
Hi,
the firewall tool kit (FWTK) from Trusted Information Systems (TIS) consists of
several proxies (smtp, web, telnet, ftp, etc.) and a packet
screening/authorization application called netperm. With this tool kit you can
set up a more basic firewall *without* stateful connection inspection. For this
task you have to use third party tools and/or the enhancements of kernel 2.4.
Anyway, the tis-fwtk is very useable, reasonably safe when configured properly
and quite easy to implement.
Boris
ar> 3. Use Squid for Proxy, SuSE's ftp-proxy, SMTPWDD, AVP and other tools 4.
What about FWTK from TIS?
mfg ar
--- Und nun der Footer! ----------------- PLEASE send mails *only* in pure ASCII, no vCards, attaches in non-proprietary portable formats! Thanks! ----------------------------------------- mailto:andreas@rittershofer.de http://www.rittershofer.de ----------------------------------------- PGP-Public-Key http://www.rittershofer.de/ari.htm -----------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Quoting bolo@lupa.de (bolo@lupa.de) on Thu, Sep 28, 2000 at 05:45:33PM +0200:
Hi,
the firewall tool kit (FWTK) from Trusted Information Systems (TIS) consists of several proxies (smtp, web, telnet, ftp, etc.) and a packet screening/authorization application called netperm. With this tool kit you can set up a more basic firewall *without* stateful connection inspection. For this task you have to use third party tools and/or the enhancements of kernel 2.4.
Anyway, the tis-fwtk is very useable, reasonably safe when configured properly and quite easy to implement.
But the license makes it basically unusable for any commercial organization. Nice for home use though. cheers afx -- atsec information security GmbH Phone: +49-89-4424930 Steinstrasse 68 Fax: +49-89-4424931 D-81667 Muenchen, Germany May the Source be with you!
On Thu, 28 Sep 2000, Oliver Grube wrote:
A usable firewall does three things: 1. Packet filter to allow/deny IP packages from different sources 2. Stateful Inspection to control the status of an connection 3. Application Layer Filer to filter malicious code from e-Mails, www, ftp and other services
1. Use "ipchains" 2. Use "iptables" (Kernel 2.4) 3. Use Squid for Proxy, SuSE's ftp-proxy, SMTPWDD, AVP and other tools Well, you may use AMaViS, qmail-scanner or MIMEDefanger for E-Mails or httpf, viromat for http. See http://lavp.sourceforge.net/av-linux_e.txt (the file name is somewhat misleading, I'm afraid ...).
What is SMTPWDD? Is it the smtp store-and-foward deamon from the Obtuse Firewall? best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
Quoting Rainer Link (link@suse.de) on Thu, Sep 28, 2000 at 05:46:21PM +0200:
On Thu, 28 Sep 2000, Oliver Grube wrote: ...
3. Use Squid for Proxy, SuSE's ftp-proxy, SMTPWDD, AVP and other tools ... What is SMTPWDD? Is it the smtp store-and-foward deamon from the Obtuse Firewall?
Yup, it is shipped with SuSE Linux.. cheers afx -- atsec information security GmbH Phone: +49-89-4424930 Steinstrasse 68 Fax: +49-89-4424931 D-81667 Muenchen, Germany May the Source be with you!
participants (7)
-
Andreas Rittershofer -
Andreas Siegert -
bolo@lupa.de -
Dustin Huptas -
Oliver Grube -
Rainer Link -
Ralf Koch