Hi,
sorry in advance for the lengthy post. I have some questions on organizing and designing a small office environment. Clients and server parts Debian. I have always introduced Debian in every job I had in the last 14 years, and it would be great to finally use them as the default OS on devices of my own business :) I currently have one VPS with a few services: hosting my own websites and DNS (authoritative for my domains), mail (Postfix,Dovecot). As I'm planning to start my own business, I would like to inform myself on the available choices. I would probably get a business vdsl line, which would give me 8 public IP's. I have experience with most of the techniques described below, although it has been a while since I used some of those components/ software. I do manage some Debian servers, and have done so for the last 14 years. At the start, I would only employ 1 or 2 people. I'm trying to keep it small so I wouldn't want to go over 10 people. Server part Debian, office parts also Debian as much as possible but we will also have MS machines as we need this to support our clients. Not sure if we would need to access any info on the Debian machines or servers. I have no preference to local infrastructure as opposed to cloud. That's why I started out with a VPS to host my sites, mail and DNS. Because of the DNS redundancy requirements, I use a free service that replicates my DNS. Ideally, I would be able to provide this redundancy with my own machines, VPS'es or local. I would like your advise on the way I would set this up locally or with VPS'es. Local setup =========== I would connect a Debian box with 3 nics to the ISP router to serve as firewall. 1 nic for WAN, 1 for LAN, 1 for DMZ. I have always used iptables to do this. The wan nic would have 1 public IP, LAN 192.168.1.0/24, DMZ 172.16.1.0/24. DMZ would have 2 machines: 1 with web and DNS 1, another with DNS 2 and SMTP gateway. I would keep the free DNS for added redundancy. On the LAN part, I would put a file server, local DNS and some internal web apps. This raises some questions: - What device could I use for the firewall. I don't want to use an old computer as I have some public services and need a reliable service. I'm open to using an appliance as well. Any links or info is welcome. Any easy way to having this devices redundant? - I would only allow some traffic (mail for instance) from the DMZ to the private LAN. LAN could access the DMZ. Any downside to this security wise? - If I have multiple public IP's, I would assign each public machine a public IP. I assume it's the ISP's job to redirect the IP's in my range to their router in my office. I could then map the public IP's to a private IP by prerouting all allowed traffic on the public IP to the private IP address of the machine in the DMZ. - My mail service (only used for my own purposes right now) consists of Postfix, Clamav, Pyzor, Razor, Spamassassin, with authentication provided by Dovecot. Domains, users and aliases are stored in a Postgresql database. Security wise it would be better to place this set up in the LAN part, and put a SMTP gateway in the DMZ to receive mail, and have the gateway forward the mail to the setup I just described. The SMTP gateway should have the same parts (Clamav, Spamassassin, ...) but just not store the mail locally. Any thoughts on this kind of setup? - I have Roundcube (webmail) installed as well. I think I could handle this by forwarding the requests from firewall to the internal mail server. Not sure if this is the safest way to do this. One can of course argue about web mail in the first place. - Central user and document management. I would like to have a space on the file server where people could store their own and shared documents. I think I would need NFS for this (haven't used this before). The docs might need to be accessible from Windows as well, although I really would like to only use Debian machines for my own people. Otherwise, this would mean using Samba. My mail users are in a Postgresql database. I would like to keep it that way if I would ever provide mail to customers. I can see LDAP being useful to have central authentication. It can be a challenge to setup though. Are there other ways of having a simple central authentication? I have thought about using a document management system from the start. But I have only experience with commercial ones and that might be overkill from the start. Besides, they are Windows based. VPS === The other way I could go is by using multiple VPS servers (or renting dedicated servers). I could connect them with OpenVPN. I have no experience with that. But this would also mean I would have my file server online. Then I definitely would need to setup a permanent connection from the office firewall to the online servers. Might make it a bit harder to fully manage reverse dns. As for my current VPS, I had to ask my VPS supplier to insert a reverse DNS record for my mail server as I don't own the range and as such, can't set the reverse DNS. If I would want to manage this myself, I would need to reserve a small range with the VPS supplier. I probably wouldn't need those in the case of receiving a range of public IP addresses from the ISP that provides the company internet line. If I would use these public IP's, I wouldn't need the VPS range, and I could manage my own reverse DNS and have the firewall forward the traffic from these public IP's to the private IP's (well also public IP's because you get a public IP with every VPS) of the corresponding VPS'es over the OpenVPN connection? Is this also a workable setup? Any other ways to set this up? Thanks for any advice, thoughts, links or info and for your patience if you got this far :) Regards, Bene -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/me92pl$e98$1...@ger.gmane.org
