[Gloucs] mount

Mark gloucs at mailman.lug.org.uk
Sat May 24 15:06:01 2003


Ok, well might as well give my pennies worth,

best plan is normally to have a firewall acting as solely that, so that's
your NAT box playing its usual happy cheerful (and cheap!) self.

yes go with smoothwall if you really want to, probably gain more from
writing the rules your self. and I find it quicker to block such
annoyances that turn up in logs with a manual rc.firewall script that I
just append the ip address to. (can write a tiny program/shell script to
automate this, or edit apache itself to do XyZ with the request.. or the
kernel)

having tangented sufficiently.

have an internal box for the webserver, having a DMZ is always a sensible
plan, so put another NIC into the firewall and have the webserver
redirects.. email / web etc all going to somewhere OTHER than into your
private network with the machines you use for every day things, thats a
plus in several occasions.. mostly if a worm/pre-pubescent hits you it
then stands less chance of doing any considerable damge.

at the firewall ofcourse you can define rules to only allow traffic that
is requested to leave, so pinning anyone who was to get into the webserver
etc in.

with the webserver out of the way with its own forwarding rules for
external requestions, then the NAT function on the NIC connected to the
private network (which you want to use to browse the net par example) can
then be set up to allow everything out thats originating from say,
192.168.1.0/24


sorry hadnt rambled earlier than now, in the middle of commiting
atrocities on the kernel, must get back to it.

Mark