[lug] Personal Server Behind DSL Router

karl horlen horlenkarl at yahoo.com
Fri Jan 12 01:26:41 MST 2007 

> > If I'm set up to not relay from the outside world
> how
> > would I bounce spam?  Not sure I follow you here.
> 
> A bounce (non-delivery report) is not a relay.  As
> long as you aren't 
> accepting any mail and then bouncing it you probably
> won't have trouble. 
>   But take it slow and make sure you understand the
> concepts as you 
> configure things.

I think i see what a bounce is now.  Normally with
spam filtering, if a mail is flagged as spam/junk, a
good filter will probably just "drop" the mail.  In
otherwords, it actually does initially accept the mail
but then just trashes it.  

If instead it flagged it as spam and then sent a reply
back (which is kind of silly because spam often comes
from a bogus address or at least an address that
didn't exactly authorize the sending) that basically
creates double spam.

Is that what you mean by bounce?

I guess the problem gets down to how you filter.  If
you flag and drop a mail as spam that isn't spam, a
false positive, versus sending back a reply to the
client then you've lost a legitimate email.  If you
set the filter too loose, too much spam gets through.

> >> make sure other 
> >> machines don't trust it any more than the
> Internet. 
> > 
> > As I said above, I will probably be accessing this
> box
> > from my internal network.  ssh, admin, sftp, mail
> > realy and probably other things i haven't thought
> of
> > yet.  I'm going to have to trust it.  How can I
> not?
> 
> Trust means give it access to your other internal
> machines.  When it 
> gets hacked the attackers will be able to access all
> the services on 
> your internal network, unless you have a firewall
> between them.  You 
> want the public server to be in a "DMZ", not on the
> internal network. 

I'm wondering about how to setup a *real* DMZ with
current setup (versus what i would call a *pseudo*
dmz).  What i mean is that my actionctec dsl modem
router has multiple internal ports on 1 internal
network and one external port/network.  If I attach my
public server to one internal port on the actiontec,
attaching my private network to the other internal
ports puts it on the same network as the DMZ.  In that
case it's not really a "true" DMZ is it?

My next thought was to attach my linksys router to one
of the ports on the actiontec and then place my
private network on the internal side of the linksys. 
That gives a little more separation between the public
server and the private network but I'm not sure that
really creates a "true" dmz either.

If I'm not mistaken the only way to create a "true"
dmz would be if my actiontec actually had 3 network
interfaces (3 networks).  One network for the public
IP.  One network for the DMZ.  One network for the
Private network.  

Then a packet filter with rulesets living on that
router would apply routing rules between and to/from
all networks.

That would really be the only "true" DMZ. Is this
correct thinking?

If so, is there any cheap router device/appliance with
3 interfaces and a dsl modem out there that would do
this?

Or since my setup isn't mission critical, should I
just suck it up and use method 2 with the linksys
described above and make that as secure as possible? 
Since portforwarding on the actiontec will only be
opened up for the 3 services on my server and only TO
THAT server, in theory nothing from the internet can
actually DIRECTLY reach my private network, only the
server.  Which means only the server can be breached.

However, if the server is breached, because it does
live on the same network as my private network,
breeching teh private network becomes that much
easier.  

This is why it would be preferable to have the private
network on it's own network.  That's what creates a
"true" dmz.

As I think this out typing it, my logic seems to make
sense.  I guess it's just a matter of implementation,
money (willingness to buy the equipment to give you
the most protection) and then time and willingness to
implement it.

Does my logic sound correct?


 
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index

More information about the LUG mailing list