Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
hope someone can help me with this. I had a cisco firewall that has a bit of a problem. I have taken it off my network and want to put a linux firewall. Problem is there is an exchange server behind the firewall. How do i route smtp traffic to the server without giving the linux box the FQDN of the exchange server. In my former architecture (cisco firewall) the exchege server was the gateway. I guess the question really is how do i use the linux box purely as a firewall.
In the above setup, make linux box(firewall) as the gateway of exchange server box & then SNAT all the packets you recieve from exchange server over to internet(WAN) with your WAN ip.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by abiye
Hi thanks a lot for the post. In the scenerio you mentioned. Does the exchange server still advertise the public ip that is in the a record of my dns?
Not if you're using NAT. That IP would be on the firewall and it would be NAT'd to the Exchange server. Does the Exchange server actually have a public IP right now?
Hi thanks. The problem is on my dns the ipaddress of my domain is mapped to the exchange server. And since the firewall will be do the NAT it has to have the name of my exchange server.
|dsl|<-----|firewall|------->|exchange server|<------->|lan|
NAT pub/ipaddress lan/address
domain name for smtp
traffic.
In the above scenerio do I have to run postfix on the firewall?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Best thing to do would be to give the Exchange server a new, private IP and take the public IP that it current has and assign it to the firewall. If that's not an option, you could create a "bridge" between two NICs in your firewall and just let the traffic pass-through to the Exchange box. That's not such a great idea for scalability though, in my opinion. At some point you might want to setup more servers that can be accessed from the Internet. When that happens you'll either need to get public IPs for them, or redesign your network.
Internet ------> Linux firewall -----> exchange
.........................|
.........................|
.........................|
.........................----> Lan
The public IP address belongs to the linux firewall and anything that arrives over STMP (and whatever else) gets redirected to exchange on an internal IP (e.g 192.168.0.10) the rest of the lan are on a seprate subnet for security (e. 192.168.1.50), make sure the exchange server can't connect to them, just the other way around. Since you're open ports point to exchange thats you're biggest risk of a hack and it should be contained.
exchange should also have no direct access to the Linux firewall either, so give it a stacic IP rather than DCHP and make it use you ISP's DNS servers directly
This sort of setup is easy to do with the IPcop firewall distro, its worth a look http://www.ipcop.org/
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.