Hi, i wonder if there is any need to install shorewall on a machine located in the dmz zone of shorewaal. ( 3 interfaces example) mess-mate -- You are a fluke of the universe; you have no right to be here. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hi, IMHO not, because that host should be very tightly controlled by the main firewall. If the DMZ only gets exactly the traffic that it is supposed to, then there shouldn''t be anything for a local shorewall install to filter out. On the other hand, maybe it''s worth putting it on there just in case you ever put that host on the net without a firewall (e.g., if the firewall fails, and you need to make the services available until the replacement is there). I''m probably not the most qualified person to answer this, though :-). ~David On 5/25/07, mess-mate <mess-mate@wanadoo.fr> wrote:> Hi, > i wonder if there is any need to install shorewall on a machine > located in the dmz zone of shorewaal. ( 3 interfaces example) > > > mess-mate > -- > > You are a fluke of the universe; you have no right to be here. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hi dude ... using the right Terms - DMZ is the zone between your Firewall and the Provider - DMZ = DeMilitarized Zone. 3Com has used the Term of DMZ back in time on one of their first routers with more than 2 Interface - and called it DMZ :) Wrong naming - but it stayed ... What you mean is most probably the Service Network. It actually makes sense to set up a firewall as shorewall on systems inside the DMZ if: 1. They have another connection point to the internal systems. 2. You want to make it as hard as possible to hackers how got into one of your machines.>From a security point of view - I always have shorewall installed on allsystems - even workstations. On servers though - as I exactly know which services are to be ran, I set the default policy to reject into all directions - and explicitely open all required ports for the correct working. Everything else is rejected/dropped - and notified to a remote- loging server or Serial-Interface printer (This one on the firewall only) to catch breaking/breakout attempts. Up to you to decide what to you want :) <quote who="mess-mate">> Hi, > i wonder if there is any need to install shorewall on a machine > located in the dmz zone of shorewaal. ( 3 interfaces example) > > > mess-mate > -- > > You are a fluke of the universe; you have no right to be here. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:>i wonder if there is any need to install shorewall on a machine >located in the dmz zone of shorewaal. ( 3 interfaces example)Personally I automatically install Shorewall on each system I set up - it just doesn''t take long to set up and it''s an extra level of protection. Our main firewall isn''t a linux box, and the same applies to most of our clients, so that makes two different layers of protection. Don''t forget that someone may compromise your main firewall*, you may accidentally allow more traffic than you planned, you may have someone inside the network ''have a go'', someone may compromise another server in the DMZ and use that as a base for a further advance, ... Point is, ideally every system should have it''s own security that can stand alone as far as is practical. Then you can have security at the perimeter of the network. There is a school of thought that says these two layers should be different so if there is a flaw or compromise in one then the other will still hold. It''s a bit like having a gate at the end of the drive AND a lock on the garage door AND locking the car when it''s in the garage - how many people do you know that never lock the car doors when it''s in the garage ? * You DO have different passwords on different systems don''t you ? ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Simon Hobson <linux@thehobsons.co.uk> wrote: | mess-mate wrote: | | >i wonder if there is any need to install shorewall on a machine | >located in the dmz zone of shorewaal. ( 3 interfaces example) | | Personally I automatically install Shorewall on each system I set up | - it just doesn''t take long to set up and it''s an extra level of | protection. Our main firewall isn''t a linux box, and the same applies | to most of our clients, so that makes two different layers of | protection. | | Don''t forget that someone may compromise your main firewall*, you may | accidentally allow more traffic than you planned, you may have | someone inside the network ''have a go'', someone may compromise | another server in the DMZ and use that as a base for a further | advance, ... | | Point is, ideally every system should have it''s own security that can | stand alone as far as is practical. Then you can have security at the | perimeter of the network. There is a school of thought that says | these two layers should be different so if there is a flaw or | compromise in one then the other will still hold. It''s a bit like | having a gate at the end of the drive AND a lock on the garage door | AND locking the car when it''s in the garage - how many people do you | know that never lock the car doors when it''s in the garage ? | | * You DO have different passwords on different systems don''t you ? | | ------------------------------------------------------------------------- Thanks to all for your advice. And i''ll install shorewall on ALL machines. best regards mess-mate -- You could live a better life, if you had a better mind and a better body. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/