Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Openssh + security
  • From: Bruno Cochofel <bruno.cochofel@xxxxxxxxx>
  • Date: Wed, 14 Dec 2005 19:36:45 +0000
  • Message-id: <43A0744D.7090800@xxxxxxxxx>
Well, AppArmor is out of question, not freeware (sorry Crispin...)
Let me clear up:

A) I have a firewall/router/adsl/4 hub ports connecting to internet.
B) I need a web server and a ssh server
C) I also have a 5 port switch
D) I have a laptop to use in my intranet and also have a old Pentium MMX
200MHz

At the moment I have my "server" with 2 nic's, one connected to the
router and the other to the switch (my intranet) and all the firewall,
web server, ssh server, noip account works under this "server". I also
have aMule always running on this (ok, I've learned this is bad...).
This "server" has SuseFirewall2 running also and dows IP Forwarding to
my intranet. It's a DNS, DHCP, LDAP, MySQL, PostgreSQL Server but just
for my intranet.

What can I do with this?

Crispin Cowan wrote:

>Bruno Cochofel wrote:
>
>
>>Ok, let's say I'll put a firewall PC on my network...
>>
>>I have to create a masquerade rule to let the internet access my intranet
>>web server right?
>>(By the way, trying to find out how to do that under yast but don't get the
>>diference between the option Source network and requested IP, so if someone
>>help me on this I appreciate... There's several options to create a rule so
>>please illucidate me)
>>
>>
>>
>Yes, that is an advanced firewall configuration, and it doesn't surprise
>me if it isn't easy.
>
>
>
>>Doesn't this rule opens a hole in my intranet security if, let's say, my web
>>server get's compromised?
>>
>>
>>
>Yes it does.
>
>The usual "enterprise" way to address that is with an elaborate network,
>which has an outer firewall that is fairly porus and *not* NAT'd, a DMZ
>network populated with publicly routable servers such as your web
>server, an inner firewall that does do NAT, and finally your local LAN.
>Machines in the DMZ are more vulnerable, but that's fairly ok because
>your really important stuff is behind the 2nd firewall.
>
>The minimal-number-of-machines approach requires that you either
>configure the masquerade rule you mentioned, or hosting the web server
>on the gateway machine. The latter is just as horrible for the security
>of your firewall as is running X on your firewall. Unless you use
>AppArmor :)
>
>Crispin
>
>
< Previous Next >