Best Practise
in [Postfix]
|
Prev: deferred mail
Next: Rewrite non FQDN Domains
From: mouss on 20 Jul 2010 18:19 Jonathan Tripathy a écrit : > >> I am not a Xen expert, but AFAICT, you can configure iptables in the VM >> and in the host. >> >> note that I am not saying you should do that. it really depends on your >> setup. if you can script the work to implement "centralized" admin, then >> it may be worth the pain. >> > Yeah, I'm using to scripting iptables upon VM boot and shutdown for > customers, so setting this up for iptables should be ok. Xen makes life > so much easier by giving each VM an interface, so you can filter based > on that. >> >>> So you think given this, that placing the mail sever in the DMZ is ok >>> then? >>> >>> >> sure it is. as already recommended, you can use VLAN to implement >> logical segmentation inside a zone (provided your VLAN implementation >> can't be circumvented. remember, this is only logical...). >> > Think it would be ok if I didn't use VLAN segmentation, but just used > iptables between hosts? I think this would nearly achieve the same thing... these are different things. VLAN is about ethernet. iptables/pf is about IP. anyway, I think we're OT here since some posts, so let's not annoy other members. feel free to contact me offlst if needed/appropriate.
From: Randy Ramsdell on 21 Jul 2010 11:20 mouss wrote: > Simone Caruso a �crit : > >> Il 19/07/2010 22:04, Jonathan Tripathy ha scritto: >> >>> On 19/07/10 18:07, Angelo Amoruso wrote: >>> >>>> On 16/07/2010 10.10, Jonathan Tripathy wrote: >>>> >>>>> Hi Everyone, >>>>> I have set up a mail server (on a VM) as per this article: >>>>> http://workaround.org/ispmail/lenny >>>>> I wish to host this server for a customer. However, I don't think >>>>> it's "best practise" to simply place the whole VM in a DMZ and port >>>>> forward to it. My question is, what should I do and what should I >>>>> "split up"? The networks I have available to me are: >>>>> > > If using BSD or Linux, you can also enable the "local" packet filter (pf > under BSD, netfilter/iptables under Linux) to only allow explicitely > authorized traffic. if you are familiar with these tools, then you don't > even need a firewall (pf and netfilter/iptables are firewalls, so you > get a self protected box. but this is only true if "you are familiar..." ). > But a host based firewall which controls traffic is subject to compromise itself. If you compromise the DMZ'd mail server, then you could then change the firewall rules.
From: mouss on 21 Jul 2010 17:29
Randy Ramsdell a �crit : > mouss wrote: >> Simone Caruso a �crit : >> >>> Il 19/07/2010 22:04, Jonathan Tripathy ha scritto: >>> >>>> On 19/07/10 18:07, Angelo Amoruso wrote: >>>> >>>>> On 16/07/2010 10.10, Jonathan Tripathy wrote: >>>>> >>>>>> Hi Everyone, >>>>>> I have set up a mail server (on a VM) as per this article: >>>>>> http://workaround.org/ispmail/lenny >>>>>> I wish to host this server for a customer. However, I don't think >>>>>> it's "best practise" to simply place the whole VM in a DMZ and port >>>>>> forward to it. My question is, what should I do and what should I >>>>>> "split up"? The networks I have available to me are: >>>>>> >> >> If using BSD or Linux, you can also enable the "local" packet filter (pf >> under BSD, netfilter/iptables under Linux) to only allow explicitely >> authorized traffic. if you are familiar with these tools, then you don't >> even need a firewall (pf and netfilter/iptables are firewalls, so you >> get a self protected box. but this is only true if "you are >> familiar..." ). >> > But a host based firewall which controls traffic is subject to > compromise itself. If you compromise the DMZ'd mail server, then you > could then change the firewall rules. true. I was exagerating a bit, ... (but not too much!) |