Howdy Tom,
I was delighted to find my question addressed in the FAQ:
<http://shorewall.sourceforge.net/1.2/FAQ.htm#faq2>
"2. I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External
clients can browse http://www.mydomain.com but internal clients
can''t."
I wasn''t so happy to see a rebuke that is very familiar:
"Having an internet-accessible server in your local network is like
raising foxes in the corner of your hen house. If the server is
compromised, there''s nothing between that server and your other
internal systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from your
local systems - assuming that the Server can be located near the
Firewall, of course :-)"
This is exactly the advice that I give my customers, but for some reason
I was acting like I was exempt from it.
Thanks, Tom. You''ve prompted me to spend Sunday afternoon setting up a
DMZ and transferring all the public services across to it. It wasn''t a
simple task, which is why I avoided it, but it''s much easier to secure
now and makes the shorewall rules much easier to understand.
See? Answering "How do I..." with "Don''t do that"
can actually work
sometimes! :-)
--
\ "Room service? Send up a larger room." -- Groucho Marx
|
`\ |
_o__) |
bignose@zip.com.au F''print 9CFE12B0 791A4267 887F520C B7AC2E51
BD41714B