Security Basics mailing list archives

RE: Security/Firewall question

From: Nick Nauwelaerts <nick.nauwelaerts () compu-mark com>
Date: Wed, 30 Jul 2003 09:46:58 +0200

-----Original Message-----
From: Gregg [mailto:gbtech () citlink net] 
Sent: Tuesday, July 29, 2003 10:41 AM
To: security-basics () securityfocus com
Subject: Security/Firewall question

Hi everyone!

I'm still pretty new to security and firewalls and such, and I'm having a 
problem wrapping my head around a couple of concepts. Here's what I have-

I have a stand alone email server behind an Adsl router (with 4prt hub). 
The router is set to pass-thru (nat and firewall disabled). 1 port goes to 
a firewall device, and my LAN behind that. 1 port goes to my Email server, 
a Win2k box (hey, quit lookin at me like that). 

I've got a handful of fixed IP's to work with. Here's what I'd like to do-

Keep everything the same BUT- put an OpenBSD box in between the router and 
the email server (protect the snivelling email server). So, I builts me 
dis purty OpenBSD box from the broken bodies of mine enemies past (a Dell 
Dim XPS V350 with a bad video card). Put 2 Nics in the beast. Lovely.

Now, I have an IP from my block of 5 registered currently for my email 
server. 

I'm not certain if- 
I want to assign that IP to the OpenBSD firewall, and use NAT and/or RDR 
to pass on SMTP traffic on port 25 to the email server. Yes? No? Maybe? Am 
I a shame on my species? 

Heya,
You've got a few ways to go here.
One is placing a bridge, which runs without an IP, between the ADSL router
and your mailserver. OpenBSD bridges can still do statefull filtering with
pf, as well as most other fun options that don't require NAT.
However, I would use NAT. Give the OpenBSD box the public IP address that is
now assigned to your mailserver and set up a little private network behind
that. Only forward port 25 to the mailserver. This way all internet traffic
arrives at the OpenBSD box, which should be more secure than your Windows
machine. I'd advise you to read the excellent OpenBSD faq at
http://www.openbsd.org/faq/ and ofcourse the pf user's guide as well -
http://www.openbsd.org/faq/pf/index.html.

An even nicer solution is to throw in a third nic in the OpenBSD box so you
can hide both your internal network behind it, and place the mailserver in a
DMZ. This will give you yet more features to play with, not in the least
traffic shaping.

// nick

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Security/Firewall question Gregg (Jul 29)
- RE: Security/Firewall question David Gillett (Jul 29)
- Re: Security/Firewall question Glenn English (Jul 29)
- Re: Security/Firewall question Terry Soucy (Jul 29)
- Re: Security/Firewall question Morton B. Maser (Jul 31)
- <Possible follow-ups>
- RE: Security/Firewall question Michael Dunn (Jul 29)
- RE: Security/Firewall question DeGennaro, Gregory (Jul 30)
- RE: Security/Firewall question Nick Nauwelaerts (Jul 30)