[clug-talk] Server questions

Shawn sgrover at open2space.com
Tue Sep 20 12:21:07 PDT 2005


With regards to firewalls, the DLink routers may not be suitable for the 
business.  If it is simply providing a gateway to the Internet for your 
network, and maybe forwarding one or two ports, it'll probably do the job.  
However, if you need to handle multipe external IP addresses, or create more 
complex routing rules (allow ips x, y, and z access to ssh, but no one else), 
then the DLink routers begin to become unsuitable.

A better option (IMHO), is to put in an IPCop firewall.  IPCop is a dedicated 
Linux system providing firewall and routing capabilities.  I've yet to find a 
situation that IPCop cannot handle.  And, you can make use of an old box for 
this (the computer then becomes ONLY a firewall - the install reformats the 
drive).

As Szemir mentioned in his post, separating the firewall roles from your 
server roles is a good idea.  (It's a good idea to also speparate each of the 
server roles - but that's for performance and better security.  You can get 
by with a single server box to start out and grow as needed).

It IS possible to have your server behave as the firewall by getting creative 
with the IPTables rules, but troubleshooting a server problem can be tougher.  
(Is the server app misconfigured, or are the IPTable rules simply stopping 
the traffic that makes the server run properly? - this can sometimes be very 
subtle and tough to find).

I recently helped a customer move away from a DLink router due to some odd 
email problems they were having.  The DLink was not allowing two way 
communication over port 25, even though it was told to forward the port.  We 
put in IPCop, and this problem vanished, and the network performance improved 
greatly as well (though that is more likely due to the fact we cleaned up the 
network infrastructure while we were at it).

For remote access, if the distro has SSH installed/started, and you configure 
your firewall to forward port 22 to the server, you can do SSH sessions from 
home, or whereever you tell the firewall to allow traffic from.  This is a 
very very useful tool.  I've been able to tweak my own servers remotely, and 
fix issues at client sites without having to physically go there.  The 
downside is that you tend to do much more command line stuff.  SSH can 
forward X sessions, or you can ignore SSH and setup a VNC server (or FreeNX) 
and connect with the graphical interfaces.  I find this to be a little 
inconvenient for myself though - the screen updates can be jerky, or 
unreliable over a slow or busy connection....

Hope that helps.

Shawn

On Tuesday 20 September 2005 12:51, D Bhardwaj wrote:
> Not a long reply at all. Thanks.
> This is a new install, and SBS was purchased but I can convince the big
> boss to put it on the shelf. :) So, there is no migration, email, etc. Its
> for a startup company.
> Shawn - does that change your response?
> Although the time is of the essence as well - if I could do the basic
> install and then continue with the config from my home (that is the reason
> for remote access requirement), then I could devote a lot more time. As far
> as security goes, there is a dlink router, the server box has 2 nics. Can
> something be done with this setup so negating the need for a separate
> firewall box? Is one distro better than another for firewall?
>
> I am looking to gain from in terms of experience, and deliver to customer a
> good server that hopefully will require little maintenance, will not have
> MS exchange,



More information about the clug-talk mailing list