[SunHELP] Configuration advice...

Sandwich Maker adh at an.bradford.ma.us
Wed Oct 13 14:00:46 CDT 2004

" From: Marvin Cummings <MarvinC at gmail.com>
" Wondering if I can solicit some advice from the list on a setup I'm
" thinking about implementing? My network is currently configured as
" follows:
" BellSouth DSL service
" Linksys 4-port DSL router
" Windows 2003 Active Directory w/AD an Integrated DNS zone
" ISA 2000 firewall server
" Windows 2003 web server 
" Exchange 2003 mail server
" I have a Solaris Ultra Sparc 10 workstation and an intel box that I'd
" like to also install Solaris 8 on.
" The plan is to install and configure sendmail on one of these solaris
" systems and place it in front of my exchange server. This would allow
" me to remove the linksys router and possibly use Solaris as my sole
" firewall/router and sendmail as a relay for my exchange server.
" What I'd like to know is what others may think of using Solaris as a
" firewall/router with a DSL connection? I'm sure it can be used for
" other things but I'd like to know how effective it is as a router?
" Right now I have the ISA server acting as a firewall with the linksys
" in front of it. I'm not too happy about this configuration but can't
" afford a hardware firewall solution.
" If anyone has any documentation on configuring Solaris 8 as a
" firewall/router and sendamil on Solaris 8 as a relay for Exchange I'd
" really appreciate it. I'm using the Mastering Solaris 8 book published
" by Sybex to gather some solid info on this but welcomes any responses
" or direction.

in addition to sunscreen there's also the very good but strictly
command-line ipfilter firewall/nat.  http://coombs.anu.edu.au/ipfilter/

it's generally very bad form to do anything but firewalling - and
maybe proxying - on your firewall.  the more it does, the more doors
you leave open for attack and infiltration; the less it does, the
easier it is to lock down.  don't run sendmail on your firewall or do
firewalling on your sendmail box.

if you have the hardware --
two private nets, one public facing, one private.
on the public one:
1 mail server
1 web server
1 ftp server
public dns server[s]
on the private one:
internal servers
	home directories
	internal web
	internal dns
	internal mail, using the public mailsrv as relay
both nets firewalled from the internet -and- from each other.  all
connection attempts from outside are either blocked or directed to
machines on the public-facing net; those machines cannot originate
connections into your private net.

why?  even attackers can get into your web server for legitimate
queries.  but they can't use ftp [for example] to break into it, and
if they do crack it they don't also get your mail or mailer and they
still face a firewall protecting your private data.
Andrew Hay                                  the genius nature
internet rambler                            is to see what all have seen
adh at an.bradford.ma.us                       and think what none thought

More information about the SunHELP mailing list