From owner-freebsd-questions  Thu Jul 30 14:22:44 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA26962
          for freebsd-questions-outgoing; Thu, 30 Jul 1998 14:22:44 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA26956
          for <freebsd-questions@FreeBSD.ORG>; Thu, 30 Jul 1998 14:22:40 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by resnet.uoregon.edu (8.8.5/8.8.8) with SMTP id OAA04694;
          Thu, 30 Jul 1998 14:22:36 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Date: Thu, 30 Jul 1998 14:22:35 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Mike Grommet <mgrommet@insolwwb.net>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Firewall issues... HELP PLS
In-Reply-To: <000101bdbb3e$6a8e0260$0cf896d0@work2.insolwwb.net>
Message-ID: <Pine.BSF.4.00.9807301401570.17630-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Wed, 29 Jul 1998, Mike Grommet wrote:

> Well they say a picture is worth a thousand words, so here is a small (16k)
> gif attached to this message displaying the planned topology... I have a few
> questions and I'm not sure how this will work and this message will make
> much more sense with the diagram :)

I generally object to attachments in mailing lists but this makes it soo
much easier. :)

> I am the primary DNS authority for this particular client... and they
> want a mail server on site running microsoft exchange.  They want to
> run exchange on their primary NT server, which we need to have behind
> the firewall.
> 
> I have no problems setting up dns for pointing the mail to a public ip
> number, this I've done on lots of occasions... I just assign their
> mail server a specified IP number in dns... the problem is that their
> mail server (aka primary NT server) needs to be private so I can't
> assign it a public internet IP number...

This looks like a classic case for ipfw/natd and some sendmail magic.

> The only thing I can think of is this:
> 
> the bastion host must have an internet reachable ip number, and one that
> isnt internet reachable for the local network, both on two interface cards.
> 
> What I think is that I can bind another internet ip number to the bastion
> host, the second one being the ip number specified in my dns for their mail
> server.  Then convince the firewall to pass all mail traffic coming in
> through this ip number to the mail port of the private nt machine... is this
> possible?  am I making sense here (its been a long day, so I wouldn't be
> suprised).

You're on the right track, and you can do this with ipfw/natd, but there
is another method that may be more secure from the NT server viewpoint.

How to do it:

1.  Setup FreeBSD with ipfw & natd on the bastion host.  Disable
    all non-essential services (everything except ssh).

2.  Variation #1:
    a. Disable sendmail on the bastion host.
    b. Configure natd to redirect port 25 to port 25 of the Windows
       machine.  
       (Tunnel port 25 through the firewall to the NT box.)

    Variation #2:
    a. Leave sendmail enabled on the bastion host.
    b. Build a new sendmail.cf with mailertable support.
    c. Set up a mailertable entry to relay all inbound mail
       to the NT box. 

3.  Number the private network using non-Internet IPs as desired.

4.  Configure the DNS to point all mail services to the bastion host.

Commentary on variations:  #1 is easier to set up but exposes NT machine
to potential attack via Exchange.  Considering Microsoft's security track
record this isn't such a great idea.  #2 is harder to set up but protects
the internal network from any outside incursions since natd & ipfw will
eat any packets attempting to traverse the firewall without permission.
As a byproduct the entire private LAN has Internet access, just point your
default gateway/router at the firewall.

We'll have a similar set up running at my house in about a month when we
get the ADSL line installed.

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message