*BSD News Article 90023


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!newsfeeds.sol.net!mr.net!news.mr.net!cronkite.polaristel.net!news
From: rwh@visi.com (Richard Hoffbeck)
Newsgroups: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc
Subject: Re: Free firewall?
Date: Mon, 24 Feb 1997 11:29:17 -0600
Organization: MWCIA
Lines: 39
Message-ID: <MPG.d7b8be3fa8696d2989681@fw2.mwcia.org>
References: <330333EF.48C8@usa.net> <3304B369.65DB687B@ibm.net> <5e4ge9$3f4$1@news.crocker.com>
NNTP-Posting-Host: fw2.mwcia.org
X-Newsreader: Anawave Gravity v1.10.556
Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:160832 comp.os.linux.networking:69802 comp.unix.bsd.freebsd.misc:36044

In article <5e4ge9$3f4$1@news.crocker.com>, matthew@crocker.com says...
> Jan Walter (jnwal@ibm.net) wrote:
> 
> 
> : Then all you have to is set up FreeBSD or Linux as a router and mail
> : (POP3) server and leave it be.
> 
> It is not recommend to run applications on the firewall.  Sendmail has security
> holes which can be exploited to gain root access on the firewall itself.
> Once somebody has root access at the firewall they can tear it down pretty 
> easily.

It all depends on what root is allowed to do on the firewall.  If the 
firewall won't accept incoming ftp, telnet/rlogin, etc. connections it 
makes root access a bit less useful.  Especially if there aren't any 
interesting tools available like a c compiler, perl, etc.

On the otherhand there are some configuration issues that make the 
firewall a convienent place for sendmail.  It saves the hassle of 
configuring multiple dns servers to serve the world/firewall/internal-net 
since the firewall can see both the internal dns and use external name 
servers.

> 
> Don't run inetd, any rpc.* or portmapper on the firewalling box.  put your
> mail server behind the firewall and redirect port 25 on the firewall to that 
> box.  set it so that the only way to get into the firewall is by sitting at the console.

Passing port 25 through your firewall to an internal server running 
sendmail seems a bit more open than I'd like.  I'm using smap from the 
TIS fwtk to essentially turn sendmail on the firewall into a store-and-
forward system.  My second choice would be to run a mail server on the 
outside of the firewall that would forward mail into the internal mail 
server.  That way I could use packet filters and/or the plug-gw proxy to 
limit activity on port 25 to exchanges between the two servers rather 
than allowing the entire world access to my internal mail server.

--rick