[Techtalk] iptables DMZ and more :)

[Raven, corporate courtesan]

Heya --

Quoth James (Fri, Dec 21, 2001 at 01:13:58PM -0500):
> Anyone have a good rundown on an iptables DMZ firewall?  I've read a few
> premade-fill in the blank scripts for it, but does anyone have their own
> they could share?

	Unfortunately I just migrated my last firewall to BSD, so I
currently don't have any Linux boxes doing firewalling that I could
throw you the configs of.  However, if you tell me what you want to let
through, I can easily dummy you up some rules.  (I assume you'll want to
allow ftp, ssh, smtp, http, and maybe pop through?  What other services
are you offering beyond the firewall?)

> Preferably not entirely complicated with things I can
> understand.  This is what I'm looking to do:
> 
> Cisco 2500 -------- | Firewall | 
> 
> 				+ NIC1 - DMZ1 Web Servers (www, mail,
> mysql etc)
> 				+ NIC2 - DMZ2 for MS ISA Proxy Server to
> private 							network
> (yuck, but not my decision)

	Okay -- what needs to be externally accessible?  Do you need to
get to anything mysql from outside the firewall, or is it only the
private network that would need to access it?  You can always leave ssh
open on that box for administrative purposes, and firewall off sql from
the outside world.

	What are you doing for network management software?  SNMP?
Anything like that need to be allowed?  To the whole world, or to the
private network only?
 
> Now what I should be doing is 1to1 NAT, right?
> 
> DMZ1 Servers:
> 207.127.75.179 <--> 192.168.1.179
> 207.127.75.180 <--> 192.168.1.180
> 207.127.75.181 <--> 192.168.1.181
> 
> And for DMZ2's proxy server...
> 207.127.75.244 <--> 192.168.2.244
> 
> And so on and so forth?

	Yeah, that sounds sensible to me, and is probably how I'd design
it as well.
 
> District Systems Coordinator installing Win2k and IIS and not patching
> for Nimda and being compromised in < 30 minutes.  Sigh :/  And he used
> to think I was bsing about the number of CR/Nimda attempts we had on our
> Linux servers.

	Heh.  If you read focus-linux at securityfocus.com, they often
post snort rules for the latest and greatest worms.  It's a wonderful
way to keep track of things like that.
 
> Now, so far they've said "We're going to pay you."  But they haven't
> named a number.  What should be the general start point? 

	Consulting fees for professional sysadmins usually (IME) start
at about $40 an hour.  You generally make less than that if you're an
employee, but consultants charge more.  I know consultants who make $300
an hour, with a four hour minimum charge.  Some of them are even worth
it.  [grin]

	Personally, I usually ask for about $100 an hour for security or
routing work.  $50 if one of my friends referred the person to me.  That
should give you a ballpark figure -- other people's mileage may vary.

> managing and maintaining Linux servers, Linux firewall,
> doing web content and special projects in PHP/MySQL.

	Yeah, that sounds like professional sysadmin work.  Plus, you
can put this on your resume and it will look stellar.  [grin]  I'd ask
for $40 an hour or so.  School systems and academic environments tend to
pay less, government and private industries tend to pay more.
 
> We're going to be (finally) doing a webmail system
> (Linux/Apache/exim/uwimap/Horde IMP) for all teachers/staff.  However,
> we need to make administration super easy.  Like point and click.

	Sorry; I can't help with that one.  I don't really use
web-interfaces when I can command-line it, and in the cooperative
systems I've administered, the other sysadmins felt the same way.
Hopefully someone else here has more experience with that sort of thing.

Cheers,
Raven 
 
"Nobody 'manages' IT.  It simply entropies."
  -- Rafe, on the number of "Come As You Aren't" attendees who came as
     some form of IT management.