On Friday 20 August 2004 12:33, Dylan wrote:
On Friday 20 Aug 2004 17:22 pm, John N. Alegre wrote:
Thanks to the help I got from the great SuSE gurus on this list I finally have my entire email system set up and debugged.
A little about my LAN.
I have 5 machines on the LAN. 4 of the machines POP mail from one server running SuSE Pro 9.1. This machine sends and receives mail via SMTP.
I am now ready to set up a firewall.
When I set up the firewall using YAST what settings to I have to make to do these things .....
Allow the SuSE box to still send and receive mail with SMTP ... Allow all the other 4 machines to send mail to the mail server over the LAN .. Allow NFS to work between the 5 machines on the LAN ... Allow all the other 4 machines to access a yet to be set up MySQL database over the LAN ...
This very much depends on how your network is set up...
does the server act as a gateway:
WEB --- SERVER --- switch --- clients
or are all 5 boxes directly connected to your ?ADSL router?
All 5 boxes have static IPs and are connected to a hub which is itself connected to a DSL router. I am connected 24/7. DNS is provided by an external ISP. So it is WEB--router--hub--each IP.
if the former then you tell YaST which is the internal and which the external interface, have it only protect the external interface, and open the port for SMTP.
What does this mean and is it necessary? I know the other 4 boxes are OK with respect to internet security. I want them to connect to MySQL and NFS on the SuSE box and have SMTP "ONLY" open out on the SUSE box. That would be in addition to getting out on the SuSE box for telnet, ftp, web browser, SuSE internet updates, etc. In YAST the two choices for external and internal are the same. Either "none" or "eth-id-XX:YY:ZZ:11:33:77" (actual numbers faked but this is the format).
To be honest, that's by far the best way to set it up - you only have one firewall to configure and it protects the whole network. Also, there is much less chance of opening unforeseen holes in making nfs and mysql available.
All machines are set up with static IPs and have properly configured /etc/hosts files in place. Other then mail in and out via SMTP, I want the SuSE box closed to the net.
By default SuSEfirewall2 will block all incomming connections except those you explicitly allow and those which are responses to outgoing connections. I also take it that your external connection is doing NAT of some kind, which means that unless the device can associate an incomming packet with an outgoing connection it can't pass it into the network unless you have configured it to do so.
In practical terms though, if all 5 boxes are connected to the ADSL router then you cannot garuntee that the server will be closed to the web as you will have to open holes in the firewall to allow your services to function.
All of the other boxes have firewalls in place. They are OS X boxes, i.e. BSD UNIX at the core and the OS X Firewall was pretty easy to put in place. From an external box the only thing I can do to those machines is ping. At some point I will open a port on one of those boxes for apache only. Apache will serve the pages but the MySQL database will be on the SuSE box. Thank you for your continued help. john ################################### # John N. Alegre ###################################