[CentOS] Port Forwarding

[John]

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Thom Paine
> Sent: Monday, January 19, 2009 9:59 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] Port Forwarding
> 
> > In the case of the OP, I would urge him to evaluate if that network
> > topology really makes sense. Does it make sense having two 
> hosts with
> > two different connections? In that case, does it make sense to run
> > services like mail/web servers on these hosts? Shouldn't they be
> > dedicated routers/firewalls instead? And do you really need to use
> > port forwarding connections to a host that is already directly
> > connected to the internet?
> 
> 
> 
> It doesn't necessarily make sense. This entire project doesn't make
> sense. The issue is that we are sending confidential patient records
> through a private network.
---------
It does make sense to me to do it the way you describe. 

> Then they can check
> if the receiver should be receiving email in the first place. They
-----
Yes, that would be because of HIPAA Law Requirements. They have to 
do that whether they want to or not.
See: hipaa.org and cms.hhs.gov/SecurityStandard/

> originally wanted to take control of my mail server, and I would pick
> mail up from them for all my users and I said no to that. We are
> retaining control of our network, and mail server and relaying all
> outbound mail out this new connection. Incoming mail will transfer as
> normal from all sources except from this private network which could
> have confidential patient records, and it needs to come in this new
> connection from an authenticated mail server to my box.
------
I hope you all are using some type of encryption. SSL?

> This project has been dragging out since 2007, and it's really getting
> on my nerves. They only want to deal with Exchange, and they have been
> sending instructions out for exchange, even though they know I am
> using Linux for my server.
----------
Probally been draging out since October 07? Exchange Server is you might as
well say
A lock in for the health care entities. A more of a total groupware solution
for mailing calendering
And sutch where sendmail is not.

> I thought I was almost out of the woods until we started testing the
> port forwarding, and I've run into these hangups.
> 
> I think option 2 will work best for me. The box and connection on
> y.y.y.y is strictly for communicating with this other mail server I
> need to relay out, and receive only patient records mail from. If I
> rewrite the packets to appear to be from 10.10.10.4 I think this will
> work.
-----
Forging packets is one solution to the problem but then another arises
within. Sutch as
Being compliant with HIPPA and packet fowarding. Although I could not find
anything relating to 
Forwarding ""EPHI"" in HIPPA Rules, it could become a problem later on down
the road if the 
entity gets hit with a E-Discovery for Email. I would seek legal counsel for
that 

> What would the best option for this be? I'm thinking I will have to
> stop using the gshield firewall that I used to use, and jsut write the
> rules manually in iptables because there will only be 1/2 a dozen or
> so and once they are wrote, they will be permament.
--
Use a hardware router and firewall. Whatever you decide to do, document all
of it on paper.
You can get audited!

> Thanks for the excellent replies.

JohnStanley