On Wed, 2004-07-07 at 12:32, Ronan Heffernan wrote:
> I am looking at adding some security (iptables and snort) to my
> network. I have several questions and problem-domains; if anyone has
> answers or experience with this, please pipe up.
<snip>
> messages?) Yes, this question exposes the fact that my boxen are not
> behind a single firewall. I am trying to avoid an expensive firewall
> (e.g. Cisco 535 = $21k) by running IPTables on each of the 6 machines
> that need to be protected.
Ronan,
This really does not come close to addressing all your questions, but I
would like to make a suggestion:
Why not build a single IPTables box with multiple interfaces - one for
the private net, one for the public net and one for a DMZ of sorts?
For example:
[Internet] (Pub Net)
|
|
[Firewall] (IPTables box)
/ \
/ \
[DMZ Net] [Priv Net]
You build a single set of IPTables rules which restrict/allow traffic
based on interface/network/service, etc. You create rulesets for all the
various possible traffic conditions.
Take mail relays as an example - you place these relays on a DMZ net.
You want external hosts to connect to SMTP to receive mail from the
outside world and possibly you want your internal mail servers on your
private net to access SMTP as well to relay outgoing mail. So, you
create a default rule that all traffic to these host(s) is dropped with
the exception of connections to tcp port 25. 0.0.0.0/0 (or 0/0 for
short) will be allowed to connect from the public interface only to port
25 on these hosts, while a specific IP (10.1.0.125) on your private net
only when originating from the private interface also has access to port
25.
You could put IDS on your firewall, or hook it in through the public
net.
Just another angle...
Matt
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:12:15 EDT