LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-27-2006, 07:08 AM   #1
abiye
LQ Newbie
 
Registered: Apr 2006
Posts: 19

Rep: Reputation: 0
Firewall architecture problem


Hi all,
hope someone can help me with this. I had a cisco firewall that has a bit of a problem. I have taken it off my network and want to put a linux firewall. Problem is there is an exchange server behind the firewall. How do i route smtp traffic to the server without giving the linux box the FQDN of the exchange server. In my former architecture (cisco firewall) the exchege server was the gateway. I guess the question really is how do i use the linux box purely as a firewall.
 
Old 11-27-2006, 07:26 AM   #2
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
INTERNET <---> LINUX BOX <---> EXCHANGE SERVER

In the above setup, make linux box(firewall) as the gateway of exchange server box & then SNAT all the packets you recieve from exchange server over to internet(WAN) with your WAN ip.
 
Old 11-27-2006, 07:48 AM   #3
abiye
LQ Newbie
 
Registered: Apr 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Hi thanks a lot for the post. In the scenerio you mentioned. Does the exchange server still advertise the public ip that is in the a record of my dns?
 
Old 11-27-2006, 10:18 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Quote:
Originally Posted by abiye
Hi thanks a lot for the post. In the scenerio you mentioned. Does the exchange server still advertise the public ip that is in the a record of my dns?
Not if you're using NAT. That IP would be on the firewall and it would be NAT'd to the Exchange server. Does the Exchange server actually have a public IP right now?
 
Old 11-28-2006, 12:40 AM   #5
abiye
LQ Newbie
 
Registered: Apr 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Hi thanks. The problem is on my dns the ipaddress of my domain is mapped to the exchange server. And since the firewall will be do the NAT it has to have the name of my exchange server.


|dsl|<-----|firewall|------->|exchange server|<------->|lan|
NAT pub/ipaddress lan/address
domain name for smtp
traffic.
In the above scenerio do I have to run postfix on the firewall?
 
Old 11-28-2006, 02:14 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Best thing to do would be to give the Exchange server a new, private IP and take the public IP that it current has and assign it to the firewall. If that's not an option, you could create a "bridge" between two NICs in your firewall and just let the traffic pass-through to the Exchange box. That's not such a great idea for scalability though, in my opinion. At some point you might want to setup more servers that can be accessed from the Internet. When that happens you'll either need to get public IPs for them, or redesign your network.
 
Old 12-02-2006, 07:17 AM   #7
Tortanick
Member
 
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299

Rep: Reputation: 30
The best solution would be something like

Internet ------> Linux firewall -----> exchange
.........................|
.........................|
.........................|
.........................----> Lan

The public IP address belongs to the linux firewall and anything that arrives over STMP (and whatever else) gets redirected to exchange on an internal IP (e.g 192.168.0.10) the rest of the lan are on a seprate subnet for security (e. 192.168.1.50), make sure the exchange server can't connect to them, just the other way around. Since you're open ports point to exchange thats you're biggest risk of a hack and it should be contained.

exchange should also have no direct access to the Linux firewall either, so give it a stacic IP rather than DCHP and make it use you ISP's DNS servers directly

This sort of setup is easy to do with the IPcop firewall distro, its worth a look http://www.ipcop.org/

Last edited by Tortanick; 12-02-2006 at 07:22 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
which architecture? edgjerp Linux - Hardware 4 03-15-2006 08:32 PM
What architecture would I use? johnnyICON Linux - Newbie 1 12-08-2004 11:36 AM
scp problem related to network architecture? rdorte Linux - Networking 2 07-22-2004 09:17 AM
What is architecture? mramgopal Linux - Newbie 3 06-29-2003 03:52 PM
Architecture TX_metalhead Linux - General 5 02-04-2002 04:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration