*BSD News Article 89864


Return to BSD News archive

#! rnews 1840 bsd
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!psinntp!news.nstn.ca!bignews.cycor.ca!opentext.com!yank.kitchener.on.ca!not-for-mail
From: richw@yank.kitchener.on.ca (Rich Wales)
Newsgroups: comp.unix.bsd.freebsd.misc,comp.os.linux.misc,comp.os.linux.networking
Subject: Re: Free firewall?
Date: 22 Feb 1997 18:33:19 -0500
Organization: Opinions expressed in this posting are mine alone
Lines: 20
Sender: richw@bajor.opentext.com
Message-ID: <19970222231626.richw@yank.kitchener.on.ca>
References: <330333EF.48C8@usa.net> <3304B369.65DB687B@ibm.net> <5e4ge9$3f4$1@news.crocker.com>
NNTP-Posting-Host: opengate.opentext.com
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:35925 comp.os.linux.misc:160436 comp.os.linux.networking:69588

matthew@crocker.com (Matthew S. Crocker) wrote:

	It is not recommended to run applications on the firewall.
	Sendmail has security holes which can be exploited to gain
	root access on the firewall itself. . . .  Put your mail
	server behind the firewall and redirect port 25 on the
	firewall to that box.

Hmmm.  That would seem, to me, to be even worse than running Sendmail
on your firewall bastion machine -- because an intruder could exploit
holes in Sendmail to gain access on your internal network, without hav-
ing to break into your firewall bastion host.

I'd suggest running a stripped-down SMTP front-end server (such as the
"smap" program from the TIS Firewall Toolkit) on the firewall bastion
host.  This way, intruders never get a chance to access the SMTP server
functions of Sendmail.  (Incoming messages, spooled up by "smap", are
passed off in the background to Sendmail by the "smapd" daemon program.)

Rich Wales    richw@yank.kitchener.on.ca    http://www.webcom.com/richw/