Randy Millis
2002-Dec-31 21:30 UTC
[Shorewall-users] Big Brother with Shorewall loc dmz zones?
How would I use Big Brother with Shorewall and my loc and dmz zones to monitor hosts in both zones? If Big Brother''s server is on my LAN (loc) is it "safe" to forward the bb port from the dmz to the LAN? What would the security risks of this be? Common sense says that it may not be a good idea to forward stuff from the dmz to the LAN, but I''m inexperienced and unsure about this. Or am I forced to put the Big Brother Server in the DMZ and have the Big Brother clients on the LAN forward their status to it? Thanks
Cowles, Steve
2003-Jan-01 07:36 UTC
[Shorewall-users] Big Brother with Shorewall loc dmz zones?
> -----Original Message----- > From: Randy Millis > Sent: Tuesday, December 31, 2002 11:30 PM > Subject: [Shorewall-users] Big Brother with Shorewall loc dmz zones? > > > How would I use Big Brother with Shorewall and my loc and dmz zones to > monitor hosts in both zones? > > If Big Brother''s server is on my LAN (loc) is it "safe" to > forward the bb port from the dmz to the LAN? What would the > security risks of this be? > > Common sense says that it may not be a good idea to forward > stuff from the dmz to the LAN, but I''m inexperienced and unsure > about this. > > Or am I forced to put the Big Brother Server in the DMZ and > have the Big Brother clients on the LAN forward their status to it?There is always a risk involved anytime you open/forward a port from one zone to the other. In my case, I had to implement BB based on the fact I''m running shorewall on a Bering system which (as far as I can tell) does not support running BB (server or client). So I had to open a BB port from my dmz->loc zone. Although I do restrict its output to the BBDISPLAY... ACCEPT dmz loc:192.168.9.3 tcp bigbrother The only other option (a little more secure) would be to configure BB running on your shorewall box to act as a BBRELAY between the zones. Steve Cowles