Firewalls: Re: NNTP server in DMZ?

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: NNTP server in DMZ?
From:	geoffb @ NOJUNKunixpac . com . au (Geoff Breach)
Organization:	Unixpac Pty Ltd, Sydney, Australia, +612 9953 8366
Date:	Tue, 10 Jun 1997 00:49:13 GMT
To:	firewalls @ greatcircle . com
Newsgroups:	unixpac.lists.firewalls
References:	<3 . 0 . 2 . 32 . 19970607194048 . 029fd084 @ localhost>

On Sat, 07 Jun 1997 19:40:48 -0400, timh @
 nac .
 net ("Timothy D.J. Hunt")
wrote:
>At 07:55 AM 6/5/97 -0500, Joe Doetzl wrote:
>>I have a customer who wishes to install a NNTP server.  It is likely
>>that they will host internal newsgroups that will need to be protected.
>The problem with the standard news feed is that the standard "IHAVE"
>protocol is a "push" feed
>with the sender connecting to your server. For this to work, your
>news server would need to be in the DMZ.

 The other catch with a "push" feed in both directions is that, unless
your ISP sets up some means for you to control the feed (gup, etc)
then you need to call them each time you want changes, etc.

 A "pull" feed is arguably harder on the server you're pulling from 
than allowing it to feed you at will, but it's more secure, and gives
you control over what you get, *and* gets you out of your ISP's
hair.

 I've just set up an INN-like server (Nutscrape) on my internal
network, but 'cos my ISP didn't get his act together quick 
enough, I wrote my own pull feed.

One perl script that reads the active file for a list of what it
should go get, then calls nntpget for each newsgroup with
date/time parameters it gets from it's own database forms
the basis of the down "pull". A second script reads the spool
list for the upstream news server (that INN tries to contact, but 
cannot) and plucks out the articles from the local spool and
posts them back upstream aka regular nntp client.

Security wise, the INN server sits on my internal RFC1597
network, and the firewall and router have been configured to
allow NNTP client access from only the internal news server
and to only my ISP's news server. The firewall uses a 
simple plug-gw like proxy to pass the traffic.

Feels nice and safe to me, and it works, with maybe a 5 min
delay before the postings hit the street, which is pretty
much standard anyway...

For what my opinion is worth, the Nutscrape News Server 
seems pretty brain dead and inconfigurable to me, but the 
one thing I did like was it sent all that recent rash of 
"cmsg sendsys" and "send-me-your-passwd-file" control
postings to me and said "Do we really wanna send our 
passwd file to this guy?" out of the box :-)

HTH

Geoff

References:

Re: NNTP server in DMZ?
From: "Timothy D.J. Hunt" <timh @ nac . net>

Indexed By Date	Previous:	Re: Stateful Packet Filters vs. Proxies From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Date	Next:	Re: Stateful Packet Filters vs. Proxies From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Indexed By Thread	Previous:	Re: NNTP server in DMZ? From: "Timothy D.J. Hunt" <timh @ nac . net>
Indexed By Thread	Next:	client can't reach port 82 From: Robert Laird <rlaird @ panenergy . com>