Next: Redirecting firewall
Up: Sample configurations
Previous: Sample configurations
  Contents
Wrapper running at the firewall
A firewall, located at a network's perimeter, either between the network and
the Internet or between the servers' segment and the rest of the network, can
very easily control many of the servers' network ports.
Such a scheme would result in the following advantages and disadvantages:
- A single, central configuration
- Upgrades can be done only once, they will be automatically applied to every
server inside the firewall
- All logging is centralized on a single machine, so detecting attacks to multiple
servers becomes easier
- Firewall becomes a transparent proxy
- The servers' configuration must not be modified, the server programs will run
as usual. All the wrapping will be made at the firewall.
- Local users will be able to directly connect to the server, bypassing ProtoWrap's
restrictions.
- A firewall only protects a specific perimeter; any attack conducted from within
the protected segment will talk directly with the server, not with the wrapper
- All logging is centralized on a single machine, so they can be easily erased
by an attacker who gains access to the firewall
- Imposes extra load on the firewall, specially if a large number of servers is
protected. If a firewall fails due to a DoS attack, the whole network will be
disconnected from Internet.
This would be achieved using the following configuration files:
Firewall's /etc/ipnat.conf includes:
1
rdr ep1 192.168.0.1/32 port 25 -> 192.168.0.254 port 10025
Firewall's /etc/rc.local includes:
1
/usr/local/bin/smtpwrap &
Firewall's /usr/local/bin/smtpwrap:
1
#!/usr/bin/perl
use ProtoWrap::SMTP;
use strict;
my ($wrap);
$wrap = ProtoWrap::SMTP->new('standalone' => 1,
'listenPort' => 10025,
'destType' => 'ip',
'destAddr' => '192.168.0.1',
'logLevel' => 3,
'maxMsgSize' => 3000000,
'relayDomainList' => ['mydomain.com'],
'maxRcpt' => 10,
'setUidTo' => 32767
);
die 'Can\'t start SMTP wrapper' if (not defined $wrap);
$wrap->startServer() or warn 'Can\'t start wrapper for '.$wrap->getProp();
Next: Redirecting firewall
Up: Sample configurations
Previous: Sample configurations
  Contents
Gunnar Wolf
2001-03-12