From owner-freebsd-questions Sun Mar 18 19:38:56 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 6462B37B719 for ; Sun, 18 Mar 2001 19:38:53 -0800 (PST) (envelope-from mwm@mired.org) Received: (qmail 20238 invoked by uid 100); 19 Mar 2001 03:38:52 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15029.32588.606713.909007@guru.mired.org> Date: Sun, 18 Mar 2001 21:38:52 -0600 To: "Richard Shea" Cc: questions@freebsd.org Subject: Re: Firewall + Mail Server on same machine - is that OK ? In-Reply-To: <40476192@toto.iv> X-Mailer: VM 6.89 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Richard Shea types: > Hi - I've currently got a FreeBSD box which I use as a firewall > machine (using IPFW) and to do NATD. > > I'm thinking of setting up a mail server and I would certainly want to > do this under FreeBSD but I feel like I've heard that having, for > instance, a mailserver on the same machine as the firewall is not a > good idea. > Could anyone comment on this ? I've said it, so... > It seems to me that if someone was able to get through the firewall > in the first place putting the mailserver on another machine > wouldn't necessarily help all that much ? That depends on what you're trying to protect. If you're running an external mail server, then the firewall has to allow access to the SMTP port on the mail server, no matter what. So having the firewall on another machine probably won't help the mail server from attacks on the SMTP server. However, someone attacking the firewall now has another place to attack - breaking into the mail server gets them access to the firewall. > Am I missing something here ? I'd be interested in peoples > comments. The attack on the firewall, maybe? Whether you can combine boxes without harm depends on the rest of your network security setup, and how much you value things. If, as far as you're concerned, there's no difference between breaking into the firewall and breaking into the mail server, *and* the two have the same access to the rest of the network, then there's no harm in combining them. The former is a policy decision, but the latter sounds like poor security - why does mail need to be able to move between the firewall box and the internal network? http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message