[KLUG Members] Re: I have some Proxy question

Bryan J. Smith members@kalamazoolinux.org
Thu, 10 Jan 2002 10:14:51 -0500
Previous message: [KLUG Members] Re: I have some Proxy question
Next message: [[KLUG Members] Re: I have some Proxy question]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Scott Van Singel wrote:
> We have three Public Ips that were given to use by the company
> that donates thier T-1 to us. Since we are a school our DNS
> records are held at a Kalamazoo comapy KRESA. It is very difficut
> to change the Ips for Web, Mail, and so one.
> I would like to keep the MX records and everything as they are.

You can do this, and then start running DNS internally for a private
network behind your firewall.  I would argue that you should "split off"
your public servers into a separate "DMZ" (demilitarized zone) so they
are separate from internal systems.

E.g.:           Internet
                   |
                Firewall ------- DMZ (use 2 IP addresses here)
            (Linux Netfilter)    (Public Servers, public Web, etc...)
                   |
              Private LAN (use 1 IP address here)
     (Private systems, internal DNS, internal servers, etc...)

There are, of course, hundreds of models to this ... where to put your
mail server (just port forward to the LAN, or use one system in the DMZ
that "moderates" for the LAN, etc...), Squid cache server (in the LAN,
or DMZ, or another DMZ?), etc...

> So, I would like to take the IP that was designed for the Web
> and have it go through the Netfilter and have it redirect to
> the private IP of 10.1.1.26.

For the web, I'd really push it _always_ being in the DMZ.  Your public
and private content shouldn't mix (public in DMZ, private on the LAN). 
I know Apache is fairly secure, but all it takes is one bad CGI script
to compromise its security and, then, your whole private LAN!

BTW, you _are_ using Apache for your web server, aren't you?  ;-PPP

> Would I use Proxy with Netfilter to cache the DNS and web sites?

Netfilter is an in-kernel/in-IP-stack (with some user-space) routing
mechanism.  It's designed to be lean, mean and fast.  You can do some
"proxying" details (like redirecting all "direct" requests to the web
over to your actual Squid/Proxy server), but the "caching/proxying"
functionality/logic/storage is a user-space detail.  As such, you'll
want to put it on a different server than your firewall.

Again, the only details your Firewall/Netfilter system should be doing
is handling packet routing.

How about this ...

                  Internet
                     |
                  Firewall --DMZ-- Public FTP/Web Server(s)
                     |     (2-IPs)
                     |
             (1-IP) LAN <- redirects outbound DNS/FTP/Web/SSL
                     |     to Squid (only Squid allowed through)
    ---------------------------------------------
     ||||||     |           |                  |
      PCs    Servers       Mail           Squid System
                     (SMTP/25 forwarded **)

** NOTE:  Ideally this would be the "internal" LAN server, and then you
would put an "external" server out in your DMZ.  Mail would go to the
one in the DMZ first, be virusscanned, and then routed to the internal
Mail server (firewall rule:  mail, SMTP/25 cannot go directly to/from
Internet-LAN, only Internet-DMZ, and DMZ-LAN).  Same route for outbound
-- keep your own systems from relaying viruses/spyware too.  ;-P

There are _plenty_ of other models.  I have a 5-zone (6 including
Wireless LAN) prototype 4U/4-system computer in my house.  It separates
out not only Internet, DMZ, LAN _but_ extra "DMZ-like" outgoing
(proxying, mail, etc...) and incoming (VPN/RA/SSH, mail, etc...) zones
to prevent "further break-in" if they are compromised (and they are
easily shutdown when they are).  The 4 systems in my prototype are for
firewall (obviously), outgoing (integrated for ease of use/don't need a
separate system), incoming (integrated for ease of use, don't need a
separate system) and IDS (intrustion detection), and you just add your
public DMZ and private LAN nodes.

I never seem to "get around" to finishing it.  ;-P

> And how difficult would it be to set this all up?

Depends on how compliated you want to make it.  It's not too bad, but
there is a _learning_curve_ with how IP packets work that is not
Linux-related at all.  The more you "tighten" the more "incompatible"
things become.  And if you run a lot of Windows PCs with a lot of crappy
apps with piss-poor protocols that don't like to work behind a firewall,
well, you have to "make some choices."

But trust me on the public web stuff being in a DMZ.  Since you don't
run your public DNS, that saves you a bit.  My public DNS/Web server got
hacked once and I was _damn_glad_ it was in a DMZ (by itself ;-)!  BTW,
it was my _own_, _stupid_ fault, I didn't update BIND in over a year! 
Doh!

-- Bryan

-- 
Bryan J. Smith, Engineer          mailto:b.j.smith@ieee.org
AbsoluteValue Systems, Inc.       http://www.linux-wlan.org
SmithConcepts, Inc.            http://www.SmithConcepts.com
Previous message: [KLUG Members] Re: I have some Proxy question
Next message: [[KLUG Members] Re: I have some Proxy question]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]