From: Alan Murrell (alanm@vcn.bc.ca)
Date: Sat Mar 10 2001 - 16:55:05 PST
Hi El Cid!
> firewall, and I am debating wheather BIND should be behind a firewall,
even
> although its an external DNS server. Got a little question for you guys.
I
Well one solution that I find is good for external servers is to run the
PMFirewall script on the server that the services are on. This still
protects the server while not having to worry about setting up another
firewall, etc.
I currently have an external WWW server (and BIND for primary DNS) and a
seperate external mail server (and BIND for secondary DNS. My internal
network is masq'd behind a firewall using PMFirewall. I have PMFirewall on
each of my two external servers, without having to use a seperate firewall
machine. This is quite an adequate situation, but by no means the only
solution. My WWW server, for instance, allows ports 80 (HTTP), 8080
(HTTPS), 21 (FTP - need to upload the website files!) and 53 (DNS).
Everything else is blocked. My mail server allows 25 (SMTP), 110 (POP3) and
53 (DNS). I don't offer IMAP... yet :-)
Another possibilty is to have the same firewall protecting the internal
network and your DNS server, with your DNS server being in the
"Demilitarized Zone". I'd still recommend having "customized" firewalls
protecting them, however.
> know you can have " SOME" protection by disabling certain ICMP attacks
such
> as PING commands to your web/mail/dns server. I just dont have the
details
> on how to implement such thing. Also is it a good idea to do so? The
othe
You just DENY or REJECT the appropriate ICMP-type (I can't recall the
number-type for PING offhand). I still tend to allow PING, however, since
it's a good way to test whether or not there is still connectivity, or
allows me to be alerted if a server goes down.
> little question " promise! " is since PMfirewall is catching and denying
> hackers attack on port 111, no further ground works needs to be done? I
Correct. As long as the "requests" are being denied, you don't have to
worry about it. Something else you may want to think about is having all
the machines that are accessible to the outside (i.e., your firewall/router;
DNS server; etc.) also log to another machine. That way, at the very least,
you'll be able to see "patterns" of attack that you may not be able to see
if you looked at the logs individually. Besides, it's easier and less
time-consuming to look at one set of logs and note things than to look at
2-3+ sets of logs!
Just some food for thought.
-- Alan Murrell alanm@vcn.bc.ca**************************************************************************** * To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall" * in the message body to majordomo@pointman.org. Please direct other * questions, comments, or problems to pmfirewall-owner@pointman.org. * * Need answers fast? Check the list archive located at: * http://www.pointman.org/PMFirewall/list-archive/ *
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:40:32 PDT