In fulcrum.lists.firewalls, DWasser @
mdf .
com wrote:
>ISP <--ISDN--> ROUTER <--> FIREWALL <--> MAIL/NEWS <--> Users
>The firewall is a dual-homed linux box. The firewall sits on our
>internal network along with a mail/news server and our users. At
>the moment I have application proxies for ftp, www, telnet, etc.
>on the firewall. I would like to set up a netnews feed through the
>firewall. My provider suggests that we receive netews via uucp over
>TCP/IP, since we can then compress the files and reduce the
>transmission load. There are certainly several ways to do this. I'm
>not sure which is the best way. Has anyone else got such a configuration?
>One way would be to use a TCP tunnel on the firewall, so that
>uucp is only actually running on the internal mail/news machine.
>In that way, the internal mail/news machine would establish a
>uucp connection via the TCP tunnel on the firewall to the ISP.
>(The ISP never initiates the call, so I don't have to have the
>firewall accept uucp over TCP connections.)
>Another way would be to run uucp on the firewall, and do the
>decompression there. The firewall could then feed the internal
>news/mail server the articles via nntp.
>I think I will set it up so that outgoing articles will be sent
>directly to the provider using nntp (via a TCP tunnel). I don't
>expect that we will generate a lot of outgoing articles.
In your situation, I would recommend using plug-gw, or something
similar to feed the UUCP connection through to the ISP.
An alternate approach, which others may find useful is the following:
ISP <--------------------> FIREWALL <--- uucp/serial ---> INTERNAL NET
mail via smtp mail via uucp
news via uucp/tcp news via uucp
We did this so that we had Internet connectivity (there are several
hosts on the FIREWALL's network), but our internal network was still
only connected via UUCP. Mail was easy, running smap, then sendmail
to bundle it into uucp. News was a little harder, but still not too
bad.
We did not want to run an NNTP server on the firewall, since it
was yet another large piece of software to fail. Instead, we replaced
rnews with a simple perl script which takes incoming news batches, and
forwards them to the internal uucp link. The news server (the uucp
peer) on the inside then unbatches them, and serves them up to the
rest of the internal network.
Outgoing news is handled in a similar way. The internal news server
batches the news articles up, but instead of forwarding them with an
"rnews" header, it forwards them with a "rnews-outgoing" header. UUCP
is configured to allow "rnews-outgoing" to pass through. The firewall
receives these batches, and forwards them to the ISP over the uucp/tcp
link, removing the "rnews-outgoing" and replacing it with "rnews".
If someone really wants to look at the script I wrote to do this, I
guess I can forward it, but it's trivial, and it's the overall
configuration of uucp/inn/rnews/etc which makes this work, not just
the script.
have fun,
rik.
--
The Fulcrum Consulting Group (note phone number change) o
------------------------------------------------------------------------------
Rik Harris - rik .
harris @
fulcrum .
com .
au +61 3 9621-2100 (BH) /\
12th Floor, 10-16 Queen St. Melbourne VIC 3000. +61 3 9621-2724 (Fax)
|
|
