Linux Firewalls, MS Proxy Server and MS Exchange Server

Linux Firewalls, MS Proxy Server and MS Exchange Server

Post by Steve Co » Fri, 21 Jul 2000 04:00:00



Hi all,

I will be modifying a LAN config in the near future and was looking for any
thoughts, mods, etc. for what I have in mind. Feel free to shoot it down in
flames - but do it nicely :-)

Currently, the set up is a single subnet, with a multi-homed box hosting
both MS Proxy Server and MS Exchange Server. This is linked to a
dial-on-demand ISDN router via the extrernal network card. All very
simple....

In a few months we'll be going over to an ASDL line, fixed IP address (or
range) and I want to secure the network appropriately. We may also want to
host our own web and ftp servers at a later date.

I've been looking through the newgroups and FAQ sites and a suitable set up
seems to be:

ASDL router
|
|
|
Linux Firewall -----------Future DMZ segment for Web and FTP servers
|
|
|
 Secured LAN with MS Exchange Server and MS Proxy Server

The firewall will be providing MASQuarading for the LAN - together with
packet filtering.
Any future web and ftp servers would be implemented with a seperate DMZ
network segment off of a third NIC on the firewall.

The following config is what I'm not too sure about....

In order to log web access and provide caching, we will keep the proxy
server on the internal LAN - but it will not be the firewall, just a regular
node with the linux firewall set as its gateway. Generally, all outbound
web, ftp etc access will be blocked except for the appropriate proxy server
ports and IP address. Then any MS client needing internet access will use
the proxy sever via winsock etc. Any future non-MS boxes could access
through the firewall directly - having set up specific outbound rules for
their IP addresses on the firewall.

The MS Exchange server will be placed on the internal LAN - not the DNZ. The
SMTP feed will be routed through the firewall. ##### Does anyone have any
insights on setting up such a rule for IPCHAINS - can it be done when the
firewall is MASQuarading the rest of the LAN?

There would also be an internal DNS server handling cache forwarding to the
DNS servers of the ISP. This would be placed on the internal LAN.

Any suggestions, ideas, flames etc more than welcome.

 
 
 

Linux Firewalls, MS Proxy Server and MS Exchange Server

Post by Maciej Mastalarczu » Sat, 22 Jul 2000 04:00:00


Hi,

Quote:> (...) In order to log web access and provide caching, we will keep the proxy
> server on the internal LAN - but it will not be the firewall, just a regular
> node with the linux firewall set as its gateway. Generally, all outbound
> web, ftp etc access will be blocked except for the appropriate proxy server
> ports and IP address. Then any MS client needing internet access will use
> the proxy sever via winsock etc. Any future non-MS boxes could access
> through the firewall directly - having set up specific outbound rules for
> their IP addresses on the firewall.

Why are you going to keep Microsoft P(r)oxy? Dump it and put squid instead as a
transparent cache. You wouldn't need to install that stupid proxy client on each
Windows machine.  Honestly, IMHO MS P(r)oxy is completely useless in this case
(pretty much as as in other cases as well).

Re: MS Exchange - do you use X.400 or only Internet mail? If only Internet -
there shouldn't be any problem with forwarding ports 110 and 25, but I am not
sure what X.400 exactly needs (probably NetBIOS).

You can put caching DNS on Linux and use it for all your internal network. You
don't really need a seperated one unless you worry about performance on busy
network.

There are plenty of examples about port forwarding. This feature has been
extensively implemented in Linux. You can have a look at:

http://www.LinuxVirtualServer.org/
http://linux-firewall-tools.com/linux/firewall/index.html

or just type 'man lvs' at Linux prompt.

HTH
Cheers,

Maciej Mastalarczuk
Treko Internet

 
 
 

Linux Firewalls, MS Proxy Server and MS Exchange Server

Post by Leonard Li » Sat, 22 Jul 2000 04:00:00



> Hi all,

> I will be modifying a LAN config in the near future and was looking for any
> thoughts, mods, etc. for what I have in mind. Feel free to shoot it down in
> flames - but do it nicely :-)

> Currently, the set up is a single subnet, with a multi-homed box hosting
> both MS Proxy Server and MS Exchange Server. This is linked to a
> dial-on-demand ISDN router via the extrernal network card. All very
> simple....

> In a few months we'll be going over to an ASDL line, fixed IP address (or
> range) and I want to secure the network appropriately. We may also want to
> host our own web and ftp servers at a later date.

> I've been looking through the newgroups and FAQ sites and a suitable set up
> seems to be:

> ASDL router
> |
> |
> |
> Linux Firewall -----------Future DMZ segment for Web and FTP servers
> |
> |
> |
>  Secured LAN with MS Exchange Server and MS Proxy Server

> The firewall will be providing MASQuarading for the LAN - together with
> packet filtering.
> Any future web and ftp servers would be implemented with a seperate DMZ
> network segment off of a third NIC on the firewall.

> The following config is what I'm not too sure about....

> In order to log web access and provide caching, we will keep the proxy
> server on the internal LAN - but it will not be the firewall, just a regular
> node with the linux firewall set as its gateway. Generally, all outbound
> web, ftp etc access will be blocked except for the appropriate proxy server
> ports and IP address. Then any MS client needing internet access will use
> the proxy sever via winsock etc. Any future non-MS boxes could access
> through the firewall directly - having set up specific outbound rules for
> their IP addresses on the firewall.

> The MS Exchange server will be placed on the internal LAN - not the DNZ. The
> SMTP feed will be routed through the firewall. ##### Does anyone have any
> insights on setting up such a rule for IPCHAINS - can it be done when the
> firewall is MASQuarading the rest of the LAN?

> There would also be an internal DNS server handling cache forwarding to the
> DNS servers of the ISP. This would be placed on the internal LAN.

> Any suggestions, ideas, flames etc more than welcome.

We've got comparable network-solutions. But slowly we change more and
more to linux-solutions.
Reason?
NT obliges huge engines and expensive licenses.
NT uses a *ing client on each Windows-client
NT is absolutely incompatible with none windows-clients.
NT is slow and not that flexible as Linux-Boxes.

LINUX is able to do all the things which NT does and much more.
LINUX has got the network-solutions of Berkley University(leader in
network)
LINUX is free and always up to date.
LINUX is LINUX!

sincerely

Leonard Lin

--
Leonard Lin
Mllerwis 21
CH - 8606 Greifensee
Switzerland

Phone:  +41 (0)1  941 40 53
Work:   +41 (0)1  430 54 50
mobile: +41 (0)79 416 01 07


 
 
 

Linux Firewalls, MS Proxy Server and MS Exchange Server

Post by Roy Stockma » Sat, 29 Jul 2000 04:00:00


Look at http://www.linuxsecurity.com/resources/firewalls-1.html
Roy

Quote:> Hi all,

> I will be modifying a LAN config in the near future and was looking for
any
> thoughts, mods, etc. for what I have in mind. Feel free to shoot it down
in
> flames - but do it nicely :-)

> Currently, the set up is a single subnet, with a multi-homed box hosting
> both MS Proxy Server and MS Exchange Server. This is linked to a
> dial-on-demand ISDN router via the extrernal network card. All very
> simple....

> In a few months we'll be going over to an ASDL line, fixed IP address (or
> range) and I want to secure the network appropriately. We may also want to
> host our own web and ftp servers at a later date.

> I've been looking through the newgroups and FAQ sites and a suitable set
up
> seems to be:

> ASDL router
> |
> |
> |
> Linux Firewall -----------Future DMZ segment for Web and FTP servers
> |
> |
> |
>  Secured LAN with MS Exchange Server and MS Proxy Server

> The firewall will be providing MASQuarading for the LAN - together with
> packet filtering.
> Any future web and ftp servers would be implemented with a seperate DMZ
> network segment off of a third NIC on the firewall.

> The following config is what I'm not too sure about....

> In order to log web access and provide caching, we will keep the proxy
> server on the internal LAN - but it will not be the firewall, just a
regular
> node with the linux firewall set as its gateway. Generally, all outbound
> web, ftp etc access will be blocked except for the appropriate proxy
server
> ports and IP address. Then any MS client needing internet access will use
> the proxy sever via winsock etc. Any future non-MS boxes could access
> through the firewall directly - having set up specific outbound rules for
> their IP addresses on the firewall.

> The MS Exchange server will be placed on the internal LAN - not the DNZ.
The
> SMTP feed will be routed through the firewall. ##### Does anyone have any
> insights on setting up such a rule for IPCHAINS - can it be done when the
> firewall is MASQuarading the rest of the LAN?

> There would also be an internal DNS server handling cache forwarding to
the
> DNS servers of the ISP. This would be placed on the internal LAN.

> Any suggestions, ideas, flames etc more than welcome.

 
 
 

1. Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Dear all,

I wonder if someone could offer some advice?

Let take a second to explain the network topology we have here - briefly:

Single subnet LAN - comprising NT network with the odd bit of Novell kit.

Our comms machine runs MS Exchange 5.5 and Proxy 2.0 (it also has RRAS for
VPNs but this doesn't work because of the router listed below).

This comms machine is multihomed (I believe this is the term for 2 network
cards) The internal network as above and the external network connects to a
CISCO 760 series ISDN router. This machine is the BDC - the seperate PDC is
also the internal DNS server.

Currently, all internet access works fine via the router. This is using port
address translation to hide all internal IP addresses and present as one.
Exchange happily fires off through the link too - and when connected - our
SMTP feed pushes into the Exchange server. We have 'firewalling' set up on
the router and with MS Proxy.

There are two issues I want to raise.....

1. One problem we have is that MS Exchange brings up the ISDN link every
time an externally destined email is sent - and I don't believe it is
possible to get Exchange to hold the outbound mail and fire it off at
predetermined intervals. This is costing us a fortune.....  We send large
amounts of externally bound email - all quite small - but with the ISDN line
being brought up very often, you can guess what the bill is like (5-10 sends
per hour). When we used modems, this could be achieved because Exchange used
RAS connections which could be limited to 'batch' dial-outs. This no longer
is true for the router setup.

2. We have an ISDN modem which I daresay we could use instead of the router
to give us limited dial-out but then we become reliant upon MS Proxy
firewalling as we loose the router. Is MS Proxy secure enough? (Seriously
please Linux boys and girls :-) )  And will Linux provide the internal IP
address 'hiding' - presenting one address to the outside world? Should we
drop a linux box in between the MS-Proxy/Exchange and the ISDN? Is this hard
to administer/setup as a dedicated firewall.

We want to set up a system with http. ftp etc initialed dialout (MS Proxy)
but not by email (MS Exchange) which we can fire off every couple of hours
or so (We have a batch file which can do this in reverse in order to recieve
our mail).

We need it to be secure (!) or should I say as secure as possible... and it
would be cool if we could get VPN too (MS RRAS flavor) via the ISDN modem as
the router will not handle the encapsulation properly.

Oh and finally, the funds available are very limited, so a big
UNIX/commercial solution is probably prohibitively costly.

All ideas welcome.

Ta everyone

S

2. Can't get ipxd to route.

3. MS$ NT > Linux Firewall > Internet > MS$ NT PPTP Server

4. Using \1 escapes in a sed substitute command

5. Linux client with MS Proxy Server 2.0 on NT Server

6. rc.d file

7. Linux client=>NT Server + MS Proxy server Question

8. FX scheduler for Solaris

9. socks proxy client on linux and ms proxy server

10. Best Choice of Proxy Server: MS Proxy / Linux TIS

11. Linux proxy client conf. with MS Proxy Server

12. How to browse internt thru' LAN's MS proxy server (also serving as firewall)

13. ftp client proxy ms proxy firewall http proxy unix