Would you put a fully patch Leopard Server outside the firewall?

[ggerard]

I tired of dorking around with NAT. I have multiple IP addresses for my machines and my guests, no PPPoE to worry about. Why wouldn’t I expose my machines directly?

I’ve resisted over the years, using 1-to-1 NATs but I’m tired of DNS schizophrenia and access issues.

Problems:
1. I’ve got a firewall (Cisco 851w) which isn’t quite working the way I wanted it to. I can’t debug the thing effectively — yes, it’s probably me, but there it is. VPN is a pain to manage, it needs care and feeding, it’s another power sucker…
2. I have 14 IP addresses that are routable — why bother with the whole NAT problems and hole punching?

I’m thinking what would be the problems with having everything exposed directly?

Okay, I’m not entirely stupid, I might run my firewall in transparent mode to shutdown ports and groom traffic. But other than that, would you trust and feel comfortable with Mac OS X Server and client directly exposed?

I’m also open to a hybrid solution — can I vend out multiple IP addresses (multihome) via DHCP? Say, create an internal network and external network and if you get a multihomed DHCP response, you do the right things? How well does Leopard Server accommodate DNS views? Will Bonjour go insane?

What steps should be taken to secure it without becoming difficult to use?

My main thought is that I take my laptop to a cafe or other public venue without thinking too much — how should this differ from my home?

thanks!

[ggerard]

No real plan. I bought them when I was running a startup out of my apartment. It has since graduated from my home to a proper datacenter but there’s no ongoing fee to maintain the statics so I kept them.

I saw the collection of IPFW rules elsewhere on the site but it looked like the date was 2007. Is there an up-to-date collection of IPFW rules?

Also, is there a OS X specific lockdown/audit toolkit I should run before exposing if I so choose?

[bschappel]

I do everything I can to keep servers off of the internet. I put everything behind a firewall. I haven’t come across any firewall that can provide NAT that does not allow for 1:1 NAT rules. While I don’t have any experience with your Cisco device I’ve used many others and they all to 1:1 NAT. The basic command to allow 1:1 NAT on all of my Cisco gear is:

[code]static (inside,outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255[/code]

OUTSIDEIP is the internet routable IP address.
INSIDEIP is the “private” IP inside the firewall.
“netmask 255.255.255.255” limits the scope of the mapping to a single IP address.

Then you issue “conduit permit” directives to allow certain traffic through. Here’s an example that allows everyone access to port 80.

[code]conduit permit tcp host INSIDEIP eq 80 host any[/code]

You can issue as many “conduit permit” statements as needed to pass the traffic you need.

If you’re looking for a new firewall check out the Cisco ASA devices and the SonicWALL devices. I have lots of experience with each and they are much easier to configure than older Cisco devices. I would give SonicWALL the nod for ease of setup.

The Cisco uses a Java-based GUI admin util called ASDM. The SonicWALLs use an HTTP-based admin util. Both work fine on OS X.

As for your DNS issues this is easily solved by running two name servers. One name server should supply resolution for all computers inside the firewall and the other one handles requests for people outside the firewall.

[tegbains]

I’m not a fan of Apple’s DNS server UI. Instead I use MacPort’s BIND coupled with Webmin to use Views. It works quite well, but it requires some knowledge of BIND.

An opensource firewall that I find useful is pfSense. It’s based on FreeBSD with OpenBSD’s pf. Really nice Web based GUI. It runs on regular x86 hardware.

http://www.pfsense.org

[Author]

Posts