[Shorewall-users] LAN server config?

Tom Eastep teastep@shorewall.net
Wed, 30 Jan 2002 06:18:50 -0800


On Wednesday 30 January 2002 02:57 am, Paul Gear wrote:
>
> Do the requests appear to come from the Internet or the router?  (i.e. =
Does
> the router do unidirectional NAT or bidirectional NAT?)  My guess would=
 be
> the former - requests still appear with the true source IP, and your ro=
uter
> does the outgoing translation.  If that is the case, i think you need t=
wo
> zones, one for internal and one for external - the 'loc' and 'net' zone=
s
> provided by default should do the trick.  The 'loc' zone would be
> 192.168.0.0/24, and 'net' would be everything else.

I agree.

>
> > 3. The server runs a webserver on port 80 and a mailserver/pop3 MTA
> > (both available to the internet and the lan).
>
> Personally, if you are running standard POP3 over the Internet, i think=
 you
> are:
>     a) crazy,
>     b) an ISP, or
>     c) both of the above.   :-)
> I know users like it, but it really is quite insecure.

Yes -- a VPN solution would definitely be better.


>
> I don't think it would help.  You can do all you want by defining shore=
wall
> zones.

I agree.

The only thing that I can add is that for NFS, I would open UDP port 111 =
and=20
ALL unpriv UDP ports from the NFS client (your server) to the NFS server=20
(SNAP).

-Tom=20
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net