[TriLUG] port forwarding

Thunder Bear thunderbear at yonderway.com
Fri Jun 14 17:37:51 EDT 2002


On Fri, 2002-06-14 at 15:48, Chris Merrill wrote:
> I am going to transition my current firewall/web/mail/ftp/server
> to a new hardware box.  The old P-120 just doesn't have enough
> juice anymore.

What?!?!??

You've got to have more running on that box if it isn't holding up.

> Since I only have a few hours to dedicate here and there...I was
> wondering if I can set the new box up behind my exiting firewall
> and replace the services one at a time.  For instance, once I have
> Apache configured on the new box, forward port 80 on the firewall
> to port 80 on the new box.  Eventually, when all the services are
> configured and operating, then I disconnect the old firewall from
> the cable modem and connect the new one...for a painless transition.

I do this all the time with OpenBSD and have no reason to believe that
you can't do it with Linux.

> Questions:
> 1. Is there a better way to approach the problem?

Yes.  Set up a third leg network and put your public "server" on that
network.  Firewall the crap out of it, inbound and out, and only open
what you absolutely must have for the service to work.  This way if/when
a kiddy gets in and owns you, they don't also own your personal machine
or have access to the LAN that it is sitting on.

> 2. Is "port forwarding" the right term for this?  After doing
>     a quick google and finding the IPChains HOWTO and several
>     other docs, I got a litte confused about the terminology.

Yeah either port forwarding or port redirection.

> 3. Is IPChains the tool for this?  If not, what is?

I would argue "pf" but considering that this is the Triangle LINUX Users
Group, I'd better not push that issue too hard.  If you want to meet me
in bsd at trilug.org I'd love to tell you more about it.

>     The existing firewall is running RH7.  The new firewall
>     is running our shiny new copy of RH7.3






More information about the TriLUG mailing list