Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cisco 2611 2nd thread
- To: tlug@example.com
- Subject: Re: Cisco 2611 2nd thread
- From: Jonathan Q <jq@example.com>
- Date: Fri, 18 May 2001 01:56:21 +0900
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset=us-ascii
- In-Reply-To: <Pine.LNX.4.33.0105171054380.2183-100000@example.com>; from sven@example.com on Thu, May 17, 2001 at 11:00:07AM -0500
- References: <Pine.LNX.4.33.0105171054380.2183-100000@example.com>
- Reply-To: tlug@example.com
- Resent-From: tlug@example.com
- Resent-Message-ID: <JRK_I.A.bEC.VMAB7@example.com>
- Resent-Sender: tlug-request@example.com
Sven Simon (sven@example.com) wrote: > What if I connect all his servers to one ethernet interface on the 2611 > and implement filters doing something like deny all (except for the > services he needs) x.x.x.0/28 and have all his servers an IP from x.x.x.1 > to x.x.x.14 assigned, while on the other interface all the dial-in > servers with IPs higher than 17 would go, so they're not affected by the > filter rules. I'm curious, what's he using for a router now? This is basically sound, if I understand what you're describing. Create access lists to allow only necessary ports to access the servers on their ethernet interface. You can also write access lists that specifically allow a port 25 connection if it's destination is the IP address of the MX. etc. > How would it look, though, to access the DNS (for instance) from a dial-in > machine? They're residing on the same subnet (x.x.x.x/24 on the customer > machines) as the DNS, but on the other ethernet interface. Will they get > to the DNS without going thru the filters? Guess yes, since I won't > have to do no routing between the interfaces, only from them to the WAN > link, right? Wrong. You have to subnet the /24, because you're putting machines on two different interfaces. And there is, of course, routing between the two subnets. That's what a router does; anything that goes through it is routed. Your access lists need to allow any host to connect to the nameserver(s), since hosts all over the Internet need to access them for authoritative info on his domain. Machines in his own dial pool will also, of course, be allowed through. If you don't want to subnet the /24, what you need to do is put everything on one of the ethernet interfaces, so that everything is fully accessible to everything else. All previous comments about securing those servers still applies, of course. Turn off all unncessary services on each of them and run local firewalls, too. That should be fairly safe. In this case you will have to write your access lists so that they specifically deny access only to those IPs on which the servers reside, except for the ports that need to be open. As noted above, you can write access lists that do this on a per-IP basis, so you can say "Allow connections to w.x.y.z on port 25, deny connections to w.x.y.z on any other port." For example. I'd recommend allowing ssh connections, too. Jonathan
- Follow-Ups:
- Re: Cisco 2611 2nd thread
- From: Sven Simon <sven@example.com>
- Re: Cisco 2611 2nd thread
- References:
- Cisco 2611 2nd thread
- From: Sven Simon <sven@example.com>
- Cisco 2611 2nd thread
- Prev by Date: Cisco 2611 2nd thread
- Next by Date: Re: Samba on 7.1 not working :(
- Prev by thread: Cisco 2611 2nd thread
- Next by thread: Re: Cisco 2611 2nd thread
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |