hi list, what is the more secure opportunity to "redirect" e.g. web-requests on the firewall to a dmz-webserver: - FW_FORWARD_TCP or - using the ipmasqadm-package i read about the FW_FORWARD_TCP-param in my home-7.0-firewall-suse-config. don't know the SuSEfirewall-version... are there any problems with that command?! the comment above this directive was a little bit nervous about using this...;-) many thanks in advance, bye, daniel -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
On 21-May-01 Daniel Quappe wrote:
hi list,
what is the more secure opportunity to "redirect" e.g. web-requests on the firewall to a dmz-webserver: - FW_FORWARD_TCP or - using the ipmasqadm-package
i read about the FW_FORWARD_TCP-param in my home-7.0-firewall-suse-config. don't know the SuSEfirewall-version...
are there any problems with that command?! the comment above this directive was a little bit nervous about using this...;-)
The comments of FW_FORWARD_TCP and _UDP in /etc/rc.config.d/firewall.rc.config state that it is dangerous to use a tcp/udp forwarding mechanism in an environment where the forwarding machine (e.g. a firewall) directly hands all the traffic from a specific IP+port over to another IP+port of a machine which is *not* in a demilitarized zone (DMZ) but part of your normal network. If you do not plan to set up a DMZ you probably should leave these _TCP and _UDP redirection thing blank to lower the risk of a compromise of your whole network if your webserver should get hacked. This also goes for ipmasqadm. With it, you can construct more flexible port forwarding/load balancing rules but run into similar troubles when used without a DMZ; port forwarding itself is no security feature, it may be part of a security strategy with dedicated servers and firewalls *without* access to your normal network. Portforwarding without certain security precautions would result in a harder-to-admin network without adding to your overall level of security. By the way, there are protocols (like ftp) which aren�t that easy to forward (at least not with ipmasqadm + unpatched kernel <=2.2.18), so you should try things before putting it into production. However, if you have a dedicaded firewall and a webserver in a DMZ or a firewall+webserver *without* access to your network I would recommend ipmasqadm because of its flexibility and (comparable) ease of use. I use it with various firewall setups of mine and only had minor troubles setting it up ;))
many thanks in advance, bye,
daniel
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
participants (2)
-
Boris Lorenz -
Daniel Quappe