I will be modifying a LAN config in the near future and was looking for any
thoughts, mods, etc. for what I have in mind. Feel free to shoot it down in
flames - but do it nicely :-)
Currently, the set up is a single subnet, with a multi-homed box hosting
both MS Proxy Server and MS Exchange Server. This is linked to a
dial-on-demand ISDN router via the extrernal network card. All very
In a few months we'll be going over to an ASDL line, fixed IP address (or
range) and I want to secure the network appropriately. We may also want to
host our own web and ftp servers at a later date.
I've been looking through the newgroups and FAQ sites and a suitable set up
seems to be:
Linux Firewall -----------Future DMZ segment for Web and FTP servers
Secured LAN with MS Exchange Server and MS Proxy Server
The firewall will be providing MASQuarading for the LAN - together with
Any future web and ftp servers would be implemented with a seperate DMZ
network segment off of a third NIC on the firewall.
The following config is what I'm not too sure about....
In order to log web access and provide caching, we will keep the proxy
server on the internal LAN - but it will not be the firewall, just a regular
node with the linux firewall set as its gateway. Generally, all outbound
web, ftp etc access will be blocked except for the appropriate proxy server
ports and IP address. Then any MS client needing internet access will use
the proxy sever via winsock etc. Any future non-MS boxes could access
through the firewall directly - having set up specific outbound rules for
their IP addresses on the firewall.
The MS Exchange server will be placed on the internal LAN - not the DNZ. The
SMTP feed will be routed through the firewall. ##### Does anyone have any
insights on setting up such a rule for IPCHAINS - can it be done when the
firewall is MASQuarading the rest of the LAN?
There would also be an internal DNS server handling cache forwarding to the
DNS servers of the ISP. This would be placed on the internal LAN.
Any suggestions, ideas, flames etc more than welcome.