> Tony McGee wrote:
> > On Wed, 16 Aug 2000, Joseph S. Gardner pushed some tiny letters in this order:
> > > Is it practical / advisable to set up a single machine to act as
> > > a firewall/email/web server or am I looking for MAJOR trouble.
> > >
> > > I'm trying to run a SOHO with limited resources/computers but
> > > still need all the goodies.
> > >
> >
> > For a small SOHO network it doesn't sound bad at all. What
> > sort of trouble were you expecting?
> >
> > Linux." ? Any operating system is better than Win3.x! ;-)
> >
> > Tony
>
> Just concerned about the firewall setup I suppose... Not quite
> certain how to set it up to allow email in, web surfing in, and
> still protect my internal network.
>
> I REALLY don't understand how firewalling works and if I can
> keep everything on the same network yet protected.
> --
> [EMAIL PROTECTED]
John Aldrich wrote...
> My suggestion would be two computers -- one for firewall and one for
> email/web server. 'Course depending on how much mail and how much web
> traffic you have, it may get a bit overloaded. And you'll want a LOT
> of ram in that thing!
John's suggestion is good if you have more than one computer available.
What I've done was to a LM7.1 server running Firewall (IP masq), web
server, mail server, DNS, and SSH. The problem with my setup is that
I have more open services that crackers can try to exploit and break in.
I take security issues seriously and keep up to date with exploits, and
update new packages. I have only one cable-modem DHCP IP address. I have
two NICs on the firewall, and the second is locally connected to a 5-port
switch... my other PCs are then connected to this switch. These PCs use
private IP addresses 192.168.x.x
For your setup, you only mention having *one* DSL IP address, which can
be a problem since having your firewall forward requests to an internal
network is potentially opening up a security hole. If you read the IP
Masq HOW-TO, they talk about the Demilitarized Zone (DMZ) for setting
things up.
DSL line ---> Comp A (firewall) Comp B (web) Comp C (mail)
| | | |
| --------- DMZ ------------------
|
Hub ----------------
| |
Comp D (LAN PC) Comp E (LAN PC) # using 192.168.x.x
Keep in mind I am not totally clear on DMZ so others can correct me if I
am incorrect in my details. Comp A would have 3 NICs, and you need 2 hubs.
The DMZ hub could use private addresses 10.x.x.x and the LAN hub would use
private addresses 192.168.x.x (or switch them around). This way requests to
the web or mail server (or cracking attempts) can be restricted and avoid
access (and thus protect) to your LAN PCs. You might also want to have your
web server as a backup mail server to hold any mail (and forward later)
in case your mail server goes down (or you're upgrading).
Ideally, you would have 2-3 IP addresses from DSL service, and let people
access the web server and mail server directly, and the firewall would
be used to protect your LAN. There is also a way of doing a DMZ with
real IP addresses (in HOW-TO), but I am not clear on how to do this
(perhaps someone else can explain this.
A friend of mine has 2 IP addresses and has Comp A as firewall, web server,
backup mail server, primary DNS. Comp B is a mail server and secondary DNS.
Comp A's firewall protects his LAN. This way he controls DNS for any of
his registered domain names.
Hope that helps to explain things (from the way understand it).
Thanks... Dan.
