Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cisco 2611 2nd thread



Sven Simon (sven@example.com) wrote:

> What if I connect all his servers to one ethernet interface on the 2611
> and implement filters doing something like deny all (except for the
> services he needs) x.x.x.0/28 and have all his servers an IP from x.x.x.1
> to x.x.x.14 assigned, while on the other interface all the dial-in
> servers with IPs higher than 17 would go, so they're not affected by the
> filter rules.

I'm curious, what's he using for a router now?

This is basically sound, if I understand what you're describing.
Create access lists to allow only necessary ports to access the 
servers on their ethernet interface.  You can also write access
lists that specifically allow a port 25 connection if it's
destination is the IP address of the MX. etc.  

> How would it look, though, to access the DNS (for instance) from a dial-in
> machine? They're residing on the same subnet (x.x.x.x/24 on the customer
> machines) as the DNS, but on the other ethernet interface. Will they get
> to the DNS without going thru the filters? Guess yes, since I won't
> have to do no routing between the interfaces, only from them to the WAN
> link, right?


Wrong.  You have to subnet the /24, because you're putting machines on
two different interfaces.  And there is, of course, routing between
the two subnets.  That's what a router does; anything that goes
through it is routed.  Your access lists need to allow any host
to connect to the nameserver(s), since hosts all over the 
Internet need to access them for authoritative info on his
domain.  Machines in his own dial pool will also, of course, 
be allowed through.

If you don't want to subnet the /24, what you need to do is put
everything on one of the ethernet interfaces, so that everything
is fully accessible to everything else.  All previous comments
about securing those servers still applies, of course.  Turn
off all unncessary services on each of them and run local
firewalls, too.  That should be fairly safe.
In this case you will have to write your access lists so that
they specifically deny access only to those IPs on which
the servers reside, except for the ports that need to be
open.  As noted above, you can write access lists that do
this on a per-IP basis, so you can say "Allow connections
to w.x.y.z on port 25, deny connections to w.x.y.z on any other port."
For example.  I'd recommend allowing ssh connections, too.

Jonathan


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links