Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Openssh + security
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Wed, 14 Dec 2005 10:41:50 -0800
  • Message-id: <43A0676E.4030306@xxxxxxxxxx>
Bruno Cochofel wrote:
> Ok, let's say I'll put a firewall PC on my network...
> I have to create a masquerade rule to let the internet access my intranet
> web server right?
> (By the way, trying to find out how to do that under yast but don't get the
> diference between the option Source network and requested IP, so if someone
> help me on this I appreciate... There's several options to create a rule so
> please illucidate me)
Yes, that is an advanced firewall configuration, and it doesn't surprise
me if it isn't easy.

> Doesn't this rule opens a hole in my intranet security if, let's say, my web
> server get's compromised?
Yes it does.

The usual "enterprise" way to address that is with an elaborate network,
which has an outer firewall that is fairly porus and *not* NAT'd, a DMZ
network populated with publicly routable servers such as your web
server, an inner firewall that does do NAT, and finally your local LAN.
Machines in the DMZ are more vulnerable, but that's fairly ok because
your really important stuff is behind the 2nd firewall.

The minimal-number-of-machines approach requires that you either
configure the masquerade rule you mentioned, or hosting the web server
on the gateway machine. The latter is just as horrible for the security
of your firewall as is running X on your firewall. Unless you use
AppArmor :)

Crispin Cowan, Ph.D.
Director of Software Engineering, Novell

< Previous Next >