>Date: Tue, 20 Jan 1998 19:18:15 -0700
>From: Martin <marty @
outputservices .
com>
>Subject: Re: Packet Filtering suggestions?
>
>A Followup; many thanx to those who replied. Our network is as follows:
> --- -------- ----------------
> |ISP| - - | SERVER |---+--|X-terminal farm |
> --- -------- | ----------------
> | -----------------
> +---| Network devices |
> -----------------
>
>Our ISP connection is not made (yet...). There is zero reason for any
node
>other than our server to establish an internet connection. My question
is,
>is there really a reason to put a firewall between the ISP and our server
>(a sun 1000 running Solaris), or to put a firewall between the ISP and our
>LAN? Can't the server do some packet filtering at the port attached to
the
>ISP (initially PPP). Kinda a per network port inetd.conf, if you will.
>
>TCPwrappers seems to do some of this, but globally, across *all* network
>ports, and leaves some holes. Do I really need yet another computer to
>accomplish this? I hope to restrict all inbound server traffic initially
to
>SMTP requests and client replies (so I can outbound ftp, http, etc), and
then
>slowly let more server requests in as our needs dictate.
>
>Is there software I can just put into Solaris to filter the ISP connection
>and leave the LAN connection intact, or does it really take more hardware?
>
>Any and all replies greatly appreciated.
>
>Thanx,
>Marty
>
>------------------------------
Personally I'd reccomend a basic IP Masquerading (NAT ish) firewall
through linux. For the expense of a low end PC (Pentium anything or high
end 486 with 16 ish Mb RAM) you get quite a decent Firewall product as part
of a Freeware OS. The web has countless IP Masquerading reference sites
(well AltaVista counts 12,501 matches actually). If you have a PC lying
around doing nothing, this is a free firewall, if not the max it will cost
you is $900 or so. To protect your network from potential threat that is an
excellent investment, most firewall software is $15k + and requires a big
machine.
IMHO and all that stuff.
Jason.
--
------------------------------------------------------------------------
--------------------------------------------------------
Jason Keogh AutoDealing Software
IT Services Dept. 2-4 Ely Place,
Dublin 2.
jkeogh @
cognotec .
com or Ireland
jason @
autodealing .
com Phone: +353 1 6766455 Fax: +353 1 6766500
------------------------------------------------------------------------
--------------------------------------------------------
|
|
