hi,
I had a mail from a student in a local school(W/Africa) who needed help on a
firewall project in this flow
#Lan--Internal Firewall--- External firewall -- Internet
|
|
webserver
he has completed the External firewall using squid and iptable(NAT)
What tools and how should he go about the Internal Firewall provide
documentations if possible.
Thank you in advance
regards
--
jdee
__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience
the convenience of buying online with Shop@Netscape!
http://shopnow.netscape.com/
Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/
> #Lan--Internal Firewall--- External firewall -- Internet > | > | > webserverwhat purpose does the internal firewall serve? just plug everything into one firewall and write rules accordingly
ewan said:> >> #Lan--Internal Firewall--- External firewall -- Internet >> | >> | >> webserver > > > what purpose does the internal firewall serve? just plug everything > into one firewall and write rules accordinglyThere is nothing wrong with having multiple layers of firewalls. It means your haxor has several layers of security to beat - security through depth. But you can just use iptables on your internal firewall as well. No point learning new semantics :-) Alex www.bennee.com/~alex/
On Thu, 2002-05-23 at 12:58, Alex Bennee wrote:> ewan said: > > > >> #Lan--Internal Firewall--- External firewall -- Internet > >> | > >> | > >> webserver > > > > > > what purpose does the internal firewall serve? just plug everything > > into one firewall and write rules accordingly> There is nothing wrong with having multiple layers of firewalls. It means > your haxor has several layers of security to beat - security through depth.More to the point, you can tell the inner firewall to do masquerading, while the outer wall does filter-only, so your office LAN is safe where the haxor can''t even touch it until and unless he compromises the inner firewall (which you can hammer shut to Fort Knoxian levels without compromising accessibility) while the webserver (and maybe other servers as well as the need arises) are in the perimeter -- not as well defended, but accessible from the outside.> But you can just use iptables on your internal firewall as well. No point > learning new semantics :-)Other than the fact that it''s fun. :)> Alex > www.bennee.com/~alex/-- Rens Houben | opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they''ll tell you themselves PGP public key at http://suzaku.systemec.nl/shadur.key.asc -- new Dec 12 2001
Why not just do a topology like this:
LAN--------------Firewall
|
|
DMZ with webserver-----+
The perimeter network approach with 2 firewalls seems
much too complex for little if any benefit.
- Greg
-----Original Message-----
From: Rens Houben [mailto:shadur@systemec.nl]
Sent: Thursday, May 23, 2002 6:11 AM
To: alex@bennee.com
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Beginner
On Thu, 2002-05-23 at 12:58, Alex Bennee wrote:> ewan said:
> >
> >> #Lan--Internal Firewall--- External firewall -- Internet
> >> |
> >> |
> >> webserver
> >
> >
> > what purpose does the internal firewall serve? just plug everything
> > into one firewall and write rules accordingly
> There is nothing wrong with having multiple layers of firewalls. It means
> your haxor has several layers of security to beat - security through depth.
More to the point, you can tell the inner firewall to do masquerading,
while the outer wall does filter-only, so your office LAN is safe where
the haxor can''t even touch it until and unless he compromises the inner
firewall (which you can hammer shut to Fort Knoxian levels without
compromising accessibility) while the webserver (and maybe other servers
as well as the need arises) are in the perimeter -- not as well
defended, but accessible from the outside.
> But you can just use iptables on your internal firewall as well. No point
> learning new semantics :-)
Other than the fact that it''s fun. :)
> Alex
> www.bennee.com/~alex/
--
Rens Houben | opinions are mine
Resident linux guru and sysadmin | if my employers have one
Systemec Internet Services. |they''ll tell you themselves
PGP public key at http://suzaku.systemec.nl/shadur.key.asc -- new Dec
12 2001