| View previous topic :: View next topic |
| Author |
Message |
rounded_circle
n00b
Joined: 09 Aug 2005
Posts: 34
|
 Posted: Tue Oct 11, 2005 4:31 pm Post subject: Advanced home network setup question [solved] |
 |
|
Hallo!
In my short experience with Linux Gentoo, I managed to install Gentoo on 3 computers in my house, connect them to a router and have a small network. My next step, over time, is to harden that network and incorporate the following services into it:
1)Web server with database
(Will host a couple of web sites that hopefully will be expanding their needs in bandwidth and resources over time.)
2)Mail server
3)NAT / Firewall (Shorewall?)
4)Proxy server
5)dhcp / dns (dnsmasq)
6)Rsync server
7)NFS / SSH
8)Time server
9)Applications for network monitoring and logging
10)Bandwidth management for certain nodes on the network
I intend to build a Gentoo router bearing in mind the flexibility it can provide in terms of Bandwidth Management or management of a second line from my ISP. However I lack the big picture of the issue... I have no idea what it is to maintain a web server or even a web-site. Therefore I am asking for help to get the basic idea.
My questions are the following:
1)I have read in certain fora and web sites (such as http://www.linux-sec.net/) that it is preferable for security reasons to have physically separated the router/firewall from the other services (DNS for example). However, in the Home Router Guide Howto this is not clearly suggested. Since I am a completely noob who currently is -kind of- budgeting this project... I would like to delineate what a proper hardware configuration would be. (How many machines would cater for these needs, which services each machine should cater for and what a preferable configuration level would be, bearing in mind a satisfactory level of security and a regular resource handling?
2)In a recent gentoo forum, was suggested that shorewall is a very good and reliable interface for iptables handling. Except for some basic issues, I have no acquaintance with iptables nor shorewall. I understand that an interface saves time and effort but on the other hand handling such issues directly gives an in depth overview of the whole system. According to my goal and based on your experience, would Shorewall be a reliable solution or I should spend more time in configuring iptables manually?
Regards,
rounded_circle
_________________
Rounded_circle ... hum ... is it ... circled_around?
Last edited by rounded_circle on Mon Oct 17, 2005 11:17 am; edited 4 times in total |
|
| Back to top |
|
 |
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Tue Oct 11, 2005 5:52 pm Post subject: Re: Advanced home network setup question |
|
|
| rounded_circle wrote: | | 1)I have read in certain fora and web sites (such as http://www.linux-sec.net/) that it is preferable for security reasons to have physically separated the router/firewall from the other services (DNS for example). |
That's right, and if the site is worth anything, they will list these security reasons in detail, so you can decide wether you want to give in to Paranoia or not.
| rounded_circle wrote: | | According to my goal and based on your experience, would Shorewall be a reliable solution or I should spend more time in configuring iptables manually? |
Err. Well, from the Shorewall author's POV (dunno if it was a single author though), he did things manually, and others use his work to not do things manually. So this one is tough to answer.
In either case, I suggest you look at what others have been doing (that means looking at Shorewall as well). Firewalling and Bandwidth Management are two very complex fields of research, and it's hard to set up manually without in-depth knowledge. And there are many things that can go wrong... if you ever locked yourself out, you know what I mean.  |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54799
Location: 56N 3W
|
| Posted: Tue Oct 11, 2005 6:23 pm Post subject: |
|
|
rounded_circle,
Look and see what others have done - IPCop, Smoothwall Express and some other security distros. These all take over the host PC to turn it into a network appliance, so play with other security setups before you do your own.
I would reccomend against Gentoo as the basis for a security platform, since if you do get hacked, you don't want to give your uninvited guest a tool chain. The free version of Smoothwall does not meet your requirements - it does not provide traffic shaping. I'm suggesting that its worthy of evaluation so you can see how its been done before.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
rounded_circle
n00b
Joined: 09 Aug 2005
Posts: 34
|
| Posted: Wed Oct 12, 2005 9:46 am Post subject: |
|
|
NeddySeagoon, frostschutz,
Thank you for your help. That is the "picture" I missed: Gentoo is a tool, not a solution. It is able to provide the solution that each one can create with the tools provided. The result of my-self-evaluation is that I am way too far from creating such a complex solution.
Therefore, my next step would be an "advanced home network setup research"! IPcop is a suggestion I have seen in the Gentoo fora during my preliminary research on this subject. Smoothwall express has just initialized my inquiring daemon:31736.
The fact is that I can clearly describe -even draw!- my next step now. Definitely I would not like to provide a tool chain to any malicious user of the *net. I will do my best, and I will keep this post updated.
Regards,
rounded_circle
_________________
Rounded_circle ... hum ... is it ... circled_around? |
|
| Back to top |
|
|
rounded_circle
n00b
Joined: 09 Aug 2005
Posts: 34
|
|
| Back to top |
|
|
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Thu Oct 13, 2005 12:26 pm Post subject: |
|
|
| rounded_circle wrote: | This is the basic picture of the configuration I have in my mind:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
You can do ascii graphics in a environment you know... |
|
| Back to top |
|
|
rounded_circle
n00b
Joined: 09 Aug 2005
Posts: 34
|
| Posted: Thu Oct 13, 2005 12:39 pm Post subject: |
|
|
Oooofff!
This is a prerequisite to get along well with women in my country...
Arrrrgggg.!!!!.
I' ll "take five" now...
_________________
Rounded_circle ... hum ... is it ... circled_around? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54799
Location: 56N 3W
|
| Posted: Thu Oct 13, 2005 6:16 pm Post subject: |
|
|
rounded_circle,
I run apache, qmail, talkd, ssh and seti@home on a 450 MHz K6-2 in the orage (DMZ) net behings my smoothwall express firewall, which runs on a Cyrix 200MHz system fitted with 120Mb HDD.
You may want to look at qmail for your mail server. I don't have a lot of traffic, so I have not tried traffic shaping.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
rounded_circle
n00b
Joined: 09 Aug 2005
Posts: 34
|
| Posted: Fri Oct 14, 2005 4:48 pm Post subject: |
|
|
Thank you NeddySeagoon,
I will start from something simple and then proceed -as necessary- step by step.
Your advice is always neat and accurate.
Time for action!
Warm regards,
rounded_circle
_________________
Rounded_circle ... hum ... is it ... circled_around? |
|
| Back to top |
|
|
|
Networking & Security
