Wrapper running at the firewall

Next: Redirecting firewall Up: Sample configurations Previous: Sample configurations Contents

Wrapper running at the firewall

A firewall, located at a network's perimeter, either between the network and the Internet or between the servers' segment and the rest of the network, can very easily control many of the servers' network ports.

$\resizebox* {0.6\textwidth}{!}{\includegraphics{include/wrapper-at-firewall.eps}}$

Such a scheme would result in the following advantages and disadvantages:

$\begin{labeling}{00.00.0000} \item [Advantages]~ \end{labeling}$

A single, central configuration
Upgrades can be done only once, they will be automatically applied to every server inside the firewall
All logging is centralized on a single machine, so detecting attacks to multiple servers becomes easier
Firewall becomes a transparent proxy
The servers' configuration must not be modified, the server programs will run as usual. All the wrapping will be made at the firewall.
Local users will be able to directly connect to the server, bypassing ProtoWrap's restrictions.

$\begin{labeling}{00.00.0000} \item [Disadvantages]~ \end{labeling}$

A firewall only protects a specific perimeter; any attack conducted from within the protected segment will talk directly with the server, not with the wrapper
All logging is centralized on a single machine, so they can be easily erased by an attacker who gains access to the firewall
Imposes extra load on the firewall, specially if a large number of servers is protected. If a firewall fails due to a DoS attack, the whole network will be disconnected from Internet.

This would be achieved using the following configuration files:

Firewall's /etc/ipnat.conf includes:

rdr ep1 192.168.0.1/32 port 25 -> 192.168.0.254 port 10025

Firewall's /etc/rc.local includes:

/usr/local/bin/smtpwrap &

Firewall's /usr/local/bin/smtpwrap:

#!/usr/bin/perl 

use ProtoWrap::SMTP;
use strict;

my ($wrap);

$wrap = ProtoWrap::SMTP->new('standalone' => 1,
                             'listenPort' => 10025,
                             'destType' => 'ip',
                             'destAddr' => '192.168.0.1',
                             'logLevel' => 3,
                             'maxMsgSize' => 3000000,
                             'relayDomainList' => ['mydomain.com'],
                             'maxRcpt' => 10,
                             'setUidTo' => 32767
                             );
die 'Can\'t start SMTP wrapper' if (not defined $wrap);
$wrap->startServer() or warn 'Can\'t start wrapper for '.$wrap->getProp();

Next: Redirecting firewall Up: Sample configurations Previous: Sample configurations Contents

Gunnar Wolf
2001-03-12