From: Jim H. <ji...@xl...> - 2002-01-29 04:10:02
|
Tom, I have a router at home running Shorewall doing great, and I want to install it on our file/web/mail server at work too. Problem is, I can't afford much downtime futzing around with it. Can you recommend some Shorewall settings? Here are the particulars: 1. The server is behind a hardware security router/switch (Netgear RO318) which forwards ports 80, 25, & 110 requests to it that come in from the Internet over our RoadRunner cable modem. 2. The server has a single network card, a static ip (192.168.0.13), and is plugged into the security router just like every other box on the lan. 3. The server runs a webserver on port 80 and a mailserver/pop3 MTA (both available to the internet and the lan). For the lan, it runs SAMBA, SWAT (port 901), and Webmin (port 10000), the last 2 only accessible from 192.168.0.10. The server mounts an NFS share on a Snap! server at boot time (nightly backups are sent there). The server needs access to the internet to get NTP time sync info, to get RedHat updates, and to update our IP address with DynDNS. Everyone on the lan syncs time to the server using the time server feature in SAMBA. 4. The lan addresses are all 192.168.0.0/24; some of them are assigned by the dhcp service that the security router provides, and some are statically assigned. The hardware router was used because at the time, it was simply a Windoze only lan that needed access to the Internet. Theoretically, the router provides stateful packet inspection and protection against common threats. We haven't had any breaches I'm aware of (yet). I added the linux server later on just to play with, but now that I've got 3 ports hanging out in the breeze, I'm concerned that the hardware router might let something through, or that a virus could get loose on the lan and do some damage from the inside (my users are clueless). I realize this configuration is somewhat less than ideal. In the future, I plan on replacing the hardware router with a Linux system using 3 NIC's to effectively separate Internet, LAN, and a DMZ, but for now I need to work with what I've got. Right now, the server has NO firewall except what is provided by the router, so almost anything would be an improvement. Would it help to configure the server's single NIC to have more than 1 IP? If so, how? Thanks in advance for any suggestions, and thanks again for a great piece of software. Linux newbies like me would be lost without people like you making it relatively easy. Sincerely, Jim Hubbard ji...@dy... |