Local redirecting firewall local rules

Next: Other configurations Up: Sample configurations Previous: Server running on a Contents

Local redirecting firewall local rules

There are cases, however, in which even the configuration change described above can not be attained. A server may be hard-wired at source code level to listen to a specific port, as many closed-source applications are, and it may not be desirable to run the wrapper at the firewall. Not all is lost, though, Using local firewalling rules, present in almost any Unix system, he can instruct the server to forward all incoming requests on the server's port to the wrapper's port, allowing only local connections (by local meaning originating in the same machine, not even network).

$\resizebox* {0.6\textwidth}{!}{\includegraphics{include/redirecting-local-rules.eps}}$

Advantages

Server programs are completely isolated from outsiders
Does not require the use of a third system as a firewall
Is not vulnerable to the local network, the same defense level is applied both to local and remote users
Server does not need to be reconfigured - It will recieve a completely normal-looking connection (of course, originating at localhost).

$\begin{labeling}{00.00.0000} \item [Disadvantages]~ \end{labeling}$

Wrappers' executables and configuration are stored in each of the servers; this makes upgrading or adding rules a task requiring more effort than having them all in a single place
Writing and mantaining the local firewalling rules can be quite an awkward task

For this scheme, we would use the following files:

Server's /etc/rc.local includes:

/sbin/ipchains -A input -d 192.168.0.1/32 --proto tcp --destination-port 25 -j REDIRECT 10025
/usr/local/bin/smtpwrap &

Firewall's /usr/local/bin/smtpwrap:

#!/usr/bin/perl 

use ProtoWrap::SMTP;
use strict;

my ($wrap);

$wrap = ProtoWrap::SMTP->new('standalone' => 1,
                             'listenPort' => 10025,
                             'destType' => 'ip',
                             'destAddr' =>  '127.0.0.1',
                             'logLevel' => 3,
                             'maxMsgSize' => 3000000,
                             'relayDomainList' => ['mydomain.com'],
                             'maxRcpt' => 10,
                             'setUidTo' => 32767
                             );
die 'Can\'t start SMTP wrapper' if (not defined $wrap);
$wrap->startServer() or warn 'Can\'t start wrapper for '.$wrap->getProp();

Next: Other configurations Up: Sample configurations Previous: Server running on a Contents

Gunnar Wolf
2001-03-12