Return to BSD News archive
#! rnews 1840 bsd Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!psinntp!news.nstn.ca!bignews.cycor.ca!opentext.com!yank.kitchener.on.ca!not-for-mail From: richw@yank.kitchener.on.ca (Rich Wales) Newsgroups: comp.unix.bsd.freebsd.misc,comp.os.linux.misc,comp.os.linux.networking Subject: Re: Free firewall? Date: 22 Feb 1997 18:33:19 -0500 Organization: Opinions expressed in this posting are mine alone Lines: 20 Sender: richw@bajor.opentext.com Message-ID: <19970222231626.richw@yank.kitchener.on.ca> References: <330333EF.48C8@usa.net> <3304B369.65DB687B@ibm.net> <5e4ge9$3f4$1@news.crocker.com> NNTP-Posting-Host: opengate.opentext.com Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:35925 comp.os.linux.misc:160436 comp.os.linux.networking:69588 matthew@crocker.com (Matthew S. Crocker) wrote: It is not recommended to run applications on the firewall. Sendmail has security holes which can be exploited to gain root access on the firewall itself. . . . Put your mail server behind the firewall and redirect port 25 on the firewall to that box. Hmmm. That would seem, to me, to be even worse than running Sendmail on your firewall bastion machine -- because an intruder could exploit holes in Sendmail to gain access on your internal network, without hav- ing to break into your firewall bastion host. I'd suggest running a stripped-down SMTP front-end server (such as the "smap" program from the TIS Firewall Toolkit) on the firewall bastion host. This way, intruders never get a chance to access the SMTP server functions of Sendmail. (Incoming messages, spooled up by "smap", are passed off in the background to Sendmail by the "smapd" daemon program.) Rich Wales richw@yank.kitchener.on.ca http://www.webcom.com/richw/