Topic: DMZ possible?

[Storm Dragon]

Is it possible to set up a DMZ with 5.5?
-SD

[guestHH]

a DMZ is more then 5.5


It's a mechanisme and a way of thinking. 5.5 can be a part of that.
For setting up a DMZ, you need more then 5.5 (or whatever version) alone...

[Bob Todd]

why not use an old pc with Smoothwall installed as firewall to create your DMZ and then put the SME server into the DMZ to handle web serving etc

[Storm Dragon]

Hmm... interesting.

[schotty]

I dont quite agree with this.

Maybe we should look into what is a dmz?

DMZ is part of a network which can be reached (if setup properly) from the internet. Usually one would find servers in the dmz.

Clients in  the intern network can reach the servers in the dmz but servers cannot start a connection to the intern network -the connection has to be initiated by a client. Hence if a hacker did hack into a server in the dmz then he still wont get sensitiv data from the intern network.

What is Smoothwall? or better asked what has smoothwall got what e-smith hasnt?

They are both based on linux, both use the same firewalling system -ipchains?

So concrete what do we need to make a dmz? E-Smith would need 2 Network cards ie 1 network card and a device in which it can reach the internet.

Then you would need to make rules for ipchains for the 2 network card.....
What these changes are I havent got a clue...

Maybe someone else could spread a bit of light......


cheers

[Bob Todd]

What smoothwall has is simple to manage tools built in to create and look after the DMZ etc. It is also a package designed to do one task and one task only and that is to be a firewall. SME is not a firewall - it is a general purpose server that has firewall software built in. I only suggested using the smoothwall solution because it ADDS an extra security layer to the setup. For the network I am about to setup I am implementing the following solution ::


internet ----ADSL-----GNATBOX-----------------SMOOTHWALL--------Internal Network
                Router      GB1000        |           Firewall                   & servers
                                                   |
                                               DMZ
                                             SME Server
                                         for Web, Mail, Proxy Filter

Though I'll split the tasks over several servers and prob use the DMZ mail to forward filtered mail to an internal mailserver. In fact I may have to use 2xDMZ - 1 public and 1 private as I am considering allowing VPN access to the internal network through the DMZ from the internet and that will require external IP addresses - as far as I can figure out at this stage. Its all still in the final planning stages.

[Bob Todd]

bah so much for my neatly laid out diagram in the post above. formattings all over the place.

[schotty]

Well to allow VPN your server will of course need a connection to the internet -in other words it will need an internet friendly ip address.

Im not sure though that you need 2 DMZ.

                                             Smoothwall/VPN
               DMZ                                                             Clients
Mail Server
Web Server


Lets see whats happens with this format )

E-Smith has firewall built in ?? I thought that e-smith was built on linux, and that linux has got ipchains built in....just like smoothwall. I guess smoothwall could be a bit comfortable to configure than e-smith, but I wouldnt say its impossible....


Schotty

[zylone]

The way I would set it up, and how I am currently working on doing it is have one NIC for your internet connection, one for the DMZ which will be nothing but servers (web, ftp, mail, etc) that people from the internet can connect to. then have a third nic for the "private network" that will not allow any inbound conncetions from the internet unless started by the client machine inside the private network.

[Bob Todd]

by having 2 DMZ, 1 public and 1 private I get to allow clients to VPN in from internet to the private network via the public dmz server that accepts only vpn connections and will have no other open ports while my web/mail servers can sit on the priv dmz behind NAT protection as well as the filtering from the firewall.

[Jim Hale]

I Agree Wholeheartedly - I run my SME server behind an IPCop Box and I really think it helps.