Well, AppArmor is out of question, not freeware (sorry Crispin...) Let me clear up: A) I have a firewall/router/adsl/4 hub ports connecting to internet. B) I need a web server and a ssh server C) I also have a 5 port switch D) I have a laptop to use in my intranet and also have a old Pentium MMX 200MHz At the moment I have my "server" with 2 nic's, one connected to the router and the other to the switch (my intranet) and all the firewall, web server, ssh server, noip account works under this "server". I also have aMule always running on this (ok, I've learned this is bad...). This "server" has SuseFirewall2 running also and dows IP Forwarding to my intranet. It's a DNS, DHCP, LDAP, MySQL, PostgreSQL Server but just for my intranet. What can I do with this? Crispin Cowan wrote:
Bruno Cochofel wrote:
Ok, let's say I'll put a firewall PC on my network...
I have to create a masquerade rule to let the internet access my intranet web server right? (By the way, trying to find out how to do that under yast but don't get the diference between the option Source network and requested IP, so if someone help me on this I appreciate... There's several options to create a rule so please illucidate me)
Yes, that is an advanced firewall configuration, and it doesn't surprise me if it isn't easy.
Doesn't this rule opens a hole in my intranet security if, let's say, my web server get's compromised?
Yes it does.
The usual "enterprise" way to address that is with an elaborate network, which has an outer firewall that is fairly porus and *not* NAT'd, a DMZ network populated with publicly routable servers such as your web server, an inner firewall that does do NAT, and finally your local LAN. Machines in the DMZ are more vulnerable, but that's fairly ok because your really important stuff is behind the 2nd firewall.
The minimal-number-of-machines approach requires that you either configure the masquerade rule you mentioned, or hosting the web server on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :)
Crispin