From owner-freebsd-questions  Thu Mar 12 18:40:02 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA28878
          for freebsd-questions-outgoing; Thu, 12 Mar 1998 18:40:02 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from horst.bfd.com (horst.bfd.com [204.160.242.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA28461
          for <questions@FreeBSD.ORG>; Thu, 12 Mar 1998 18:38:37 -0800 (PST)
          (envelope-from ejs@bfd.com)
Received: from harlie.bfd.com (bastion.bfd.com [204.160.242.14])
	by horst.bfd.com (8.8.8/8.8.8) with SMTP id SAA00834;
	Thu, 12 Mar 1998 18:38:36 -0800 (PST)
	(envelope-from ejs@bfd.com)
Date: Thu, 12 Mar 1998 18:38:36 -0800 (PST)
From: "Eric J. Schwertfeger" <ejs@bfd.com>
To: "Shin'ichiro Seto/OTESS, Inc." <mluser01@otess.com>
cc: questions@FreeBSD.ORG
Subject: Re: Mail Server should be inside of ipfw ?
In-Reply-To: <199803122314.PAA20938@otess.com>
Message-ID: <Pine.BSF.3.96.980312183001.14215A-100000@harlie.bfd.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 12 Mar 1998, Shin'ichiro Seto/OTESS, Inc. wrote:

> If it were inside, crackers would attack the intranet through sendmail.
> I don't know how but I'm saying a possibility. Also, the mail server will
> be http server. This means that they could get into the intranet using 
> cgi program if the program were so stupid.  

the http server definitely has more potential for compromise than
sendmail, but sendmail is also a concern.

> If it were outside, it'd be easier to crack down the mail server itself and
> get the passwd file.

We got around that by keeping nothing on the server, and it isn't allowed
to telnet (or anything else) past our firewall.

> If anyone has same situation, please let me know which one is better and why.
> Or, If I have to have a firewall program instead of ipfw to say "This site
> has a firewall", please give me any idea on firewall.

We went with a Cisco as an outer "firewall" (it can do much of what ipfw
can do), a "throwaway" mail/web/dnis server in the DMZ, and a firewall to
the real inner network.  People get their mail by popping through the
firewall.

The worst that happens if someone breaks into our web server is that we
have to restore the server from backups, we loose some mail, and they get
to read the drivel that passes as intraoffice email in this place.

We've had a few minor security incidences, but nothing major, the only
time we lost the firewall was due to HD failure. No root breaches that
we're aware of, mostly social-engineering things, and the people that know
the root password are too sharp for that.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message