Date: Sun, 18 Mar 2001 21:38:52 -0600 From: Mike Meyer <mwm@mired.org> To: "Richard Shea" <rshea@thecubagroup.com> Cc: questions@freebsd.org Subject: Re: Firewall + Mail Server on same machine - is that OK ? Message-ID: <15029.32588.606713.909007@guru.mired.org> In-Reply-To: <40476192@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Richard Shea <rshea@thecubagroup.com> types: > Hi - I've currently got a FreeBSD box which I use as a firewall > machine (using IPFW) and to do NATD. > > I'm thinking of setting up a mail server and I would certainly want to > do this under FreeBSD but I feel like I've heard that having, for > instance, a mailserver on the same machine as the firewall is not a > good idea. > Could anyone comment on this ? I've said it, so... > It seems to me that if someone was able to get through the firewall > in the first place putting the mailserver on another machine > wouldn't necessarily help all that much ? That depends on what you're trying to protect. If you're running an external mail server, then the firewall has to allow access to the SMTP port on the mail server, no matter what. So having the firewall on another machine probably won't help the mail server from attacks on the SMTP server. However, someone attacking the firewall now has another place to attack - breaking into the mail server gets them access to the firewall. > Am I missing something here ? I'd be interested in peoples > comments. The attack on the firewall, maybe? Whether you can combine boxes without harm depends on the rest of your network security setup, and how much you value things. If, as far as you're concerned, there's no difference between breaking into the firewall and breaking into the mail server, *and* the two have the same access to the rest of the network, then there's no harm in combining them. The former is a policy decision, but the latter sounds like poor security - why does mail need to be able to move between the firewall box and the internal network? <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15029.32588.606713.909007>