[KLUG Members] KLUG Presentation???

Bob Kanaley members@kalamazoolinux.org
Wed, 6 Mar 2002 13:50:13 -0500

Previous message: [KLUG Members] Samba reprocess config file questions
Next message: [KLUG Members] Noise in /var/log/secure is gone!!!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >As a rookie sysadmin, I don't have the confidence to tune application or
> >syslog settings to try to slow some of the garbadge down.
> >One example would be logfile noise generated from my new email setup. I
> >installed an LRP firewall with two NIC's so I could create a split DNS
with
> >a DMZ for my chrooted Postrix and central logserver.
> >I have my 30 windows email clients on the LAN access my Postfix
mailserver
> >running in the DMZ via secure POP3. To pull this off, I had to configure
> >Stunnel and Postfix on the mail server and reconfigure each of the
windows
> >clients to use secure pop3.
>
> This doesn't sound so neophyte to me.  Sounds more like a great
presentation for
> KLUG.

I appreciate the compliment considering all the fine presentations at KLUG,
but I am afraid I couldn't answer a whole lot of questions.  It was all
pretty much cookbook, adjust to taste, and pray I don't spoil the broth.

The LRP firewall was basically cookbook from the Linux Router Project, now
Linux Embedded Appliance Project at sourceforge. I could no more write a set
of firewall rules than the man in the moon, but I am smart enough to know
you can't block 192.169.5. when that is one of my private networks. After
that, I just ran a couple of port checks from grc.com and symantec to make
sure I hadn't left any wholes in my firewall.

The split DNS with external and internal DNS both running chrooted idea was
Nick Bauer's in Linux Journal ala Paranoid Penguin in the March 2001 issue.
I ran in to a couple of nasty problems. Nick said don't allow any recursion
from the external DNS server, but then how does my SMTP server in the DMZ
resolve MX records? I had to point the resolver on my SMTP server to my
ISP's DNS server!!! Oh yeah, and then there was the don't allow zone
transfer except for your backup DNS server. Turns out my ISP has to be able
to do zone transfers too.

As for the Stunnel and chrooted Postfix, it probably took me a week with two
computers networked together in my office to figure out how to get that
working! I learned that you can't have inetd (tcpwrappers) and xinetd
running on the same machine (duh).

Wouldn't be much of a presentation, I'm afraid.

Bob Kanaley
IS Manager
Agdia, Inc.

Previous message: [KLUG Members] Samba reprocess config file questions
Next message: [KLUG Members] Noise in /var/log/secure is gone!!!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]