Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!newsfeeds.sol.net!mr.net!news.mr.net!cronkite.polaristel.net!news From: rwh@visi.com (Richard Hoffbeck) Newsgroups: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc Subject: Re: Free firewall? Date: Mon, 24 Feb 1997 11:29:17 -0600 Organization: MWCIA Lines: 39 Message-ID: <MPG.d7b8be3fa8696d2989681@fw2.mwcia.org> References: <330333EF.48C8@usa.net> <3304B369.65DB687B@ibm.net> <5e4ge9$3f4$1@news.crocker.com> NNTP-Posting-Host: fw2.mwcia.org X-Newsreader: Anawave Gravity v1.10.556 Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:160832 comp.os.linux.networking:69802 comp.unix.bsd.freebsd.misc:36044 In article <5e4ge9$3f4$1@news.crocker.com>, matthew@crocker.com says... > Jan Walter (jnwal@ibm.net) wrote: > > > : Then all you have to is set up FreeBSD or Linux as a router and mail > : (POP3) server and leave it be. > > It is not recommend to run applications on the firewall. Sendmail has security > holes which can be exploited to gain root access on the firewall itself. > Once somebody has root access at the firewall they can tear it down pretty > easily. It all depends on what root is allowed to do on the firewall. If the firewall won't accept incoming ftp, telnet/rlogin, etc. connections it makes root access a bit less useful. Especially if there aren't any interesting tools available like a c compiler, perl, etc. On the otherhand there are some configuration issues that make the firewall a convienent place for sendmail. It saves the hassle of configuring multiple dns servers to serve the world/firewall/internal-net since the firewall can see both the internal dns and use external name servers. > > Don't run inetd, any rpc.* or portmapper on the firewalling box. put your > mail server behind the firewall and redirect port 25 on the firewall to that > box. set it so that the only way to get into the firewall is by sitting at the console. Passing port 25 through your firewall to an internal server running sendmail seems a bit more open than I'd like. I'm using smap from the TIS fwtk to essentially turn sendmail on the firewall into a store-and- forward system. My second choice would be to run a mail server on the outside of the firewall that would forward mail into the internal mail server. That way I could use packet filters and/or the plug-gw proxy to limit activity on port 25 to exchanges between the two servers rather than allowing the entire world access to my internal mail server. --rick