Redirecting firewall

Next: Server not running, called Up: Sample configurations Previous: Wrapper running at the Contents

Redirecting firewall

This scheme relies on the same basic ideas as the one presented in 5.2.1, but instead of running ProtoWrap at the firewall, each server machine runs a ProtoWrap program. This program, however, does not run on the server's well-known port; it runs instead on an unused port. The firewall redirects the packages sent to the server to the port where ProtoWrap is running, and then ProtoWrap forwards them to the server.

$\resizebox* {0.6\textwidth}{!}{\includegraphics{include/redirecting-firewall.eps}}$

From this scheme, we would get:

$\begin{labeling}{00.00.0000} \item [Advantages]~ \end{labeling}$

The servers' configuration must not be modified, the server programs will run as usual.
Local users will be able to directly connect to the server, bypassing ProtoWrap's restrictions.
Very useful while testing configurations -- If a parameter sent to ProtoWrap is found to be wrong, the server can easily be directly accessed by modifying only one firewall rule.

$\begin{labeling}{00.00.0000} \item [Disadvantages]~ \end{labeling}$

A firewall only protects a specific perimeter; any attack conducted from within the protected segment will talk directly with the server, not with the wrapper
Wrappers' executables and configuration are stored in each of the servers; this makes upgrading or adding rules a task requiring more effort than having them all in a single place.

The present configuration can be implemented this way:

Firewall's /etc/ipnat.conf includes:

rdr ep1 192.168.0.1/32 port 25 -> 192.168.0.1 port 10025

Server's /etc/rc.local includes:

/usr/local/bin/smtpwrap &

Server's /usr/local/bin/smtpwrap:


#!/usr/bin/perl 

use ProtoWrap::SMTP;
use strict;

my ($wrap);

$wrap = ProtoWrap::SMTP->new('standalone' => 1,
                             'listenPort' => 10025,
                             'destType' => 'ip',
                             'destAddr' => '127.0.0.1',
                             'logLevel' => 3,
                             'maxMsgSize' => 3000000,
                             'relayDomainList' => ['mydomain.com'],
                             'maxRcpt' => 10,
                             'setUidTo' => 32767
                             );
die 'Can\'t start SMTP wrapper' if (not defined $wrap);
$wrap->startServer() or warn 'Can\'t start wrapper for '.$wrap->getProp();

Next: Server not running, called Up: Sample configurations Previous: Wrapper running at the Contents

Gunnar Wolf
2001-03-12