OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chuck Yerkes (chuck+obsd_at_snew.com)
Date: Wed Oct 02 2002 - 07:08:02 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Sure. Don't do NAT. Simply bridge the firewall or, better,
    ROUTE. There's no need to "hide" addresses and NAT != firewall.
    You can use filtering or, where applicable, proxies.

    Web services can benefit from a reverse squid server; ftp is
    quite often a bad thing (http provides the anon service functionality).
    EMail is easy.

    Oh, you'd get better answers if you suggested what you want to
    achieve in the end. I'll presume you are providing, hmmm,
    computer services for the blind who feed you text and your
    servers turn it into MP3's after setting the text to Opera music.

    Oh, and a heads up that advertising an MCSE on these lists is
    like wearing an "I'm a pedophile" sign while waiting next to
    a school yard. You ain't gonna make friends.

    Quoting Shaun Sturby (shaunoptrics.com):
    > Hello all,
    >
    > Here is an interesting challenge to chew on.
    > Due to the ISP we use for web hosting declaring bankruptcy we had to move
    > multiple servers last weekend to a new ISP.
    >
    > Wanting to increase security and make the job of moving ISP's (which I hope
    > we never have to) easier. I suggested that we put in an OpenBSD firewall.
    > The BINAT feature is what sold me as we could leave the servers on the old
    > IP's and do a 1:1 two way NAT with our new IP space. In an abbreviated lab
    > test it worked well and things that I didn't expect to work just did. |:-O
    >
    > I had done a fair bit reading and knew that the ftp protocol, and PASV
    > connections was going to be a bit of a bear to work around but there was an
    > ftp-proxy service and the setup looked fairly straight forward.
    >
    > In my further reading on ftp-proxy all the examples assume that either the
    > clients are being NAT'ed out one IP as in a typical LAN or that there is
    > only one ftp server that needs to be contacted behind the firewall.
    >
    > Q1. Does any one have experience with this scenario that they would like to
    > share?
    > Multiple ftp servers behind a BINAT firewall.
    >
    > I know 3.2 is about to be released and it has a lot of enhancements to pf
    > so..
    >
    > Q2. Does this scenario work better in OBSD 3.2?
    >
    > Thanks in advance for any pointers.
    >
    > Shaun Sturby, MCSE
    > Network Specialist
    > Optrics Inc.