Date: Thu, 12 Mar 1998 18:38:36 -0800 (PST) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: "Shin'ichiro Seto/OTESS, Inc." <mluser01@otess.com> Cc: questions@FreeBSD.ORG Subject: Re: Mail Server should be inside of ipfw ? Message-ID: <Pine.BSF.3.96.980312183001.14215A-100000@harlie.bfd.com> In-Reply-To: <199803122314.PAA20938@otess.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 12 Mar 1998, Shin'ichiro Seto/OTESS, Inc. wrote: > If it were inside, crackers would attack the intranet through sendmail. > I don't know how but I'm saying a possibility. Also, the mail server will > be http server. This means that they could get into the intranet using > cgi program if the program were so stupid. the http server definitely has more potential for compromise than sendmail, but sendmail is also a concern. > If it were outside, it'd be easier to crack down the mail server itself and > get the passwd file. We got around that by keeping nothing on the server, and it isn't allowed to telnet (or anything else) past our firewall. > If anyone has same situation, please let me know which one is better and why. > Or, If I have to have a firewall program instead of ipfw to say "This site > has a firewall", please give me any idea on firewall. We went with a Cisco as an outer "firewall" (it can do much of what ipfw can do), a "throwaway" mail/web/dnis server in the DMZ, and a firewall to the real inner network. People get their mail by popping through the firewall. The worst that happens if someone breaks into our web server is that we have to restore the server from backups, we loose some mail, and they get to read the drivel that passes as intraoffice email in this place. We've had a few minor security incidences, but nothing major, the only time we lost the firewall was due to HD failure. No root breaches that we're aware of, mostly social-engineering things, and the people that know the root password are too sharp for that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980312183001.14215A-100000>