[CentOS] Port Forwarding

Mon Jan 19 18:04:57 UTC 2009
John <jses27 at gmail.com>

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Thom Paine
> Sent: Monday, January 19, 2009 9:59 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] Port Forwarding
> > In the case of the OP, I would urge him to evaluate if that network
> > topology really makes sense. Does it make sense having two 
> hosts with
> > two different connections? In that case, does it make sense to run
> > services like mail/web servers on these hosts? Shouldn't they be
> > dedicated routers/firewalls instead? And do you really need to use
> > port forwarding connections to a host that is already directly
> > connected to the internet?
> It doesn't necessarily make sense. This entire project doesn't make
> sense. The issue is that we are sending confidential patient records
> through a private network.
It does make sense to me to do it the way you describe. 

> Then they can check
> if the receiver should be receiving email in the first place. They
Yes, that would be because of HIPAA Law Requirements. They have to 
do that whether they want to or not.
See: hipaa.org and cms.hhs.gov/SecurityStandard/

> originally wanted to take control of my mail server, and I would pick
> mail up from them for all my users and I said no to that. We are
> retaining control of our network, and mail server and relaying all
> outbound mail out this new connection. Incoming mail will transfer as
> normal from all sources except from this private network which could
> have confidential patient records, and it needs to come in this new
> connection from an authenticated mail server to my box.
I hope you all are using some type of encryption. SSL?

> This project has been dragging out since 2007, and it's really getting
> on my nerves. They only want to deal with Exchange, and they have been
> sending instructions out for exchange, even though they know I am
> using Linux for my server.
Probally been draging out since October 07? Exchange Server is you might as
well say
A lock in for the health care entities. A more of a total groupware solution
for mailing calendering
And sutch where sendmail is not.

> I thought I was almost out of the woods until we started testing the
> port forwarding, and I've run into these hangups.
> I think option 2 will work best for me. The box and connection on
> y.y.y.y is strictly for communicating with this other mail server I
> need to relay out, and receive only patient records mail from. If I
> rewrite the packets to appear to be from I think this will
> work.
Forging packets is one solution to the problem but then another arises
within. Sutch as
Being compliant with HIPPA and packet fowarding. Although I could not find
anything relating to 
Forwarding ""EPHI"" in HIPPA Rules, it could become a problem later on down
the road if the 
entity gets hit with a E-Discovery for Email. I would seek legal counsel for

> What would the best option for this be? I'm thinking I will have to
> stop using the gshield firewall that I used to use, and jsut write the
> rules manually in iptables because there will only be 1/2 a dozen or
> so and once they are wrote, they will be permament.
Use a hardware router and firewall. Whatever you decide to do, document all
of it on paper.
You can get audited!

> Thanks for the excellent replies.