[clug-talk] Server questions
sgrover at open2space.com
Tue Sep 20 12:21:07 PDT 2005
With regards to firewalls, the DLink routers may not be suitable for the
business. If it is simply providing a gateway to the Internet for your
network, and maybe forwarding one or two ports, it'll probably do the job.
However, if you need to handle multipe external IP addresses, or create more
complex routing rules (allow ips x, y, and z access to ssh, but no one else),
then the DLink routers begin to become unsuitable.
A better option (IMHO), is to put in an IPCop firewall. IPCop is a dedicated
Linux system providing firewall and routing capabilities. I've yet to find a
situation that IPCop cannot handle. And, you can make use of an old box for
this (the computer then becomes ONLY a firewall - the install reformats the
As Szemir mentioned in his post, separating the firewall roles from your
server roles is a good idea. (It's a good idea to also speparate each of the
server roles - but that's for performance and better security. You can get
by with a single server box to start out and grow as needed).
It IS possible to have your server behave as the firewall by getting creative
with the IPTables rules, but troubleshooting a server problem can be tougher.
(Is the server app misconfigured, or are the IPTable rules simply stopping
the traffic that makes the server run properly? - this can sometimes be very
subtle and tough to find).
I recently helped a customer move away from a DLink router due to some odd
email problems they were having. The DLink was not allowing two way
communication over port 25, even though it was told to forward the port. We
put in IPCop, and this problem vanished, and the network performance improved
greatly as well (though that is more likely due to the fact we cleaned up the
network infrastructure while we were at it).
For remote access, if the distro has SSH installed/started, and you configure
your firewall to forward port 22 to the server, you can do SSH sessions from
home, or whereever you tell the firewall to allow traffic from. This is a
very very useful tool. I've been able to tweak my own servers remotely, and
fix issues at client sites without having to physically go there. The
downside is that you tend to do much more command line stuff. SSH can
forward X sessions, or you can ignore SSH and setup a VNC server (or FreeNX)
and connect with the graphical interfaces. I find this to be a little
inconvenient for myself though - the screen updates can be jerky, or
unreliable over a slow or busy connection....
Hope that helps.
On Tuesday 20 September 2005 12:51, D Bhardwaj wrote:
> Not a long reply at all. Thanks.
> This is a new install, and SBS was purchased but I can convince the big
> boss to put it on the shelf. :) So, there is no migration, email, etc. Its
> for a startup company.
> Shawn - does that change your response?
> Although the time is of the essence as well - if I could do the basic
> install and then continue with the config from my home (that is the reason
> for remote access requirement), then I could devote a lot more time. As far
> as security goes, there is a dlink router, the server box has 2 nics. Can
> something be done with this setup so negating the need for a separate
> firewall box? Is one distro better than another for firewall?
> I am looking to gain from in terms of experience, and deliver to customer a
> good server that hopefully will require little maintenance, will not have
> MS exchange,
More information about the clug-talk