[SLUG] home server on adsl; advice
I'm about to go to adsl for my home. Going with tpg, for the static IP number & unlimited downloads. I have several domains, which are currently hosted elsewhere. The question in a nutshell is this; Can I host 2 (or more) domains on one static IP address? And if so, can someone point me in the right direction as how to go about this. I had a quick look at the virtual services howto, but this appears to be for when you have seperate IP numbers for each domain. I'll probably think of lots of other questions, but this will do for a start. TIA Amanda -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
This the topology I have in mind for my network. (Maybe minus Firewall 3 and Firwall 4). Is there something wrong with it ? +-+ | I N T E R N E T | +-+ | +--+ | ADSL Router / Firewall 1 | +--+ | +--+ |Firewall 2| +--+ | | +---+ ++ | | ++ ++ | Firewall 3 | | Firewall 4 | ++ ++ | | --- --- / Eth Switch 1 // Eth Switch 2 / --- --- | | | | | | | +---+ | | +---+ | | +---+ | | | | | | ++ ++ +--+ +-+ | FTP Server | | WEB Server | | Email Server | | LAN | ++ ++ +--+ +-+ > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Phil Scarratt > Sent: Monday, 2 June 2003 22:13 > To: [EMAIL PROTECTED] > Subject: Re: [SLUG] home server on adsl; advice > > > > > Chris D. wrote: > > This one time, Amanda Wynne wrote: > > > >>Now, I should be able to set up Apache on a machine in the DMZ, > serving up web > >>pages to the Internet. And an FTP server on this same machine > accessible only > > > >>from the internal Lan to update those pages. Yes? > > > >>With only one network card? > >> > >>So, it looks kinda like this. > >> > >>Lan 192.168.0.x (2 workstations, file server, laptop, laser printer) > >> > >>Freesco bridge eth0 192.168.0.1 > >> eth1 192.168.1.3 > >> > >>DMZ with Alcatel pro at 192.168.1.1 to TPG static IP ADSL > >> Apache web server at 192.168.1.2 > >> FTP server at 192.168.1.2 > > > > > > So what you'r doing is something like this > > > > __ > > | ADSL Router | > > -- > > | > > |-- > > > > | FreeSCO Firewall | > > > > | _ > > ---| Webserver Box | > > - > > | > > ( Rest of LAN ) > > > > Right? > > I thought it was something more like this... > > > __ > | ADSL Router | > -- > | > - > | WebServer Box | > - > | > | > > | FreeSCO Firewall | > > | _ > ---| Rest of lan | > - > > In which case, the comment still stands but for Alcatel Pro. > > Fil > > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
> This the topology I have in mind for my network. (Maybe minus > Firewall 3 and Firwall 4). Is there something wrong with it ? > >+-+ >| I N T E R N E T | >+-+ > | >+--+ >| ADSL Router / Firewall 1 | >+--+ > | >+--+ >|Firewall 2| >+--+ > | | > +---+ ++ > | | > ++ ++ > | Firewall 3 | | Firewall 4 | > ++ ++ > | | > --- --- >/ Eth Switch 1 // Eth Switch 2 / >--- --- > | | | | > | | | +---+ > | | +---+ | > | +---+ | | > | | | | > ++ ++ +--+ +-+ > | FTP Server | | WEB Server | | Email Server | | LAN | > ++ ++ +--+ +-+ Theres nothing wrong with it - firewalls 3 and 4 arent all THAT useful, unless your totally paranoid about the security of the network. This sort of network arrangement is called a DMZ (De-materialized Zone) Correct me anyone if I am wrong? Cheers, AW. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
Ok so you are saying that off fw2 you have a dmz and a lan hanging off firewall2. This is a normal configuration. It appears by design your topology is pretty much like a chinese castle your strongest defence is your external wall and each interanl wall is slightly weaker. logically I can see no real issue only a lot more logs to baby sit. Hope somewhere sitting there you have some form of IDS. > This the topology I have in mind for my network. (Maybe minus Firewall 3 and > Firwall 4). Is there something wrong with it ? > >+-+ >| I N T E R N E T | >+-+ > | >+--+ >| ADSL Router / Firewall 1 | >+--+ > | >+--+ >|Firewall 2| >+--+ > | | > +---+ ++ > | | > ++ ++ > | Firewall 3 | | Firewall 4 | > ++ ++ > | | > --- --- >/ Eth Switch 1 // Eth Switch 2 / >--- --- > | | | | > | | | +---+ > | | +---+ | > | +---+ | | > | | | | > ++ ++ +--+ +-+ > | FTP Server | | WEB Server | | Email Server | | LAN | > ++ ++ +--+ +-+ > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Behalf Of Phil Scarratt > > Sent: Monday, 2 June 2003 22:13 > > To: [EMAIL PROTECTED] > > Subject: Re: [SLUG] home server on adsl; advice > > > > > > > > > > Chris D. wrote: > > > This one time, Amanda Wynne wrote: > > > > > >>Now, I should be able to set up Apache on a machine in the DMZ, > > serving up web > > >>pages to the Internet. And an FTP server on this same machine > > accessible only > > > > > >>from the internal Lan to update those pages. Yes? > > > > > >>With only one network card? > > >> > > >>So, it looks kinda like this. > > >> > > >>Lan 192.168.0.x (2 workstations, file server, laptop, laser printer) > > >> > > >>Freesco bridge eth0 192.168.0.1 > > >> eth1 192.168.1.3 > > >> > > >>DMZ with Alcatel pro at 192.168.1.1 to TPG static IP ADSL > > >> Apache web server at 192.168.1.2 > > >> FTP server at 192.168.1.2 > > > > > > > > > So what you'r doing is something like this > > > > > > __ > > > | ADSL Router | > > > -- > > > | > > > |-- > > > > > > | FreeSCO Firewall | > > > > > >| _ > > >---| Webserver Box | > > > - > > >| > > > ( Rest of LAN ) > > > > > > Right? > > > > I thought it was something more like this... > > > > > > __ > > | ADSL Router | > > -- > > | > > - > > | WebServer Box | > > - > > | > > | > > > > | FreeSCO Firewall | > > > > | _ > > ---| Rest of lan | > >- > > > > In which case, the comment still stands but for Alcatel Pro. > > > > Fil > > > > -- > > SLUG - Sydney Linux User's Group - http://slug.org.au/ > > More Info: http://lists.slug.org.au/listinfo/slug > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
On Fri, 6 Jun 2003, Minh Van Le wrote: > This the topology I have in mind for my network. (Maybe minus Firewall 3 and > Firwall 4). Is there something wrong with it ? > >+-+ >| I N T E R N E T | >+-+ > | >+--+ >| ADSL Router / Firewall 1 | >+--+ > | >+--+ >|Firewall 2| >+--+ > | | > +---+ ++ > | | > ++ ++ > | Firewall 3 | | Firewall 4 | > ++ ++ > | | > --- --- >/ Eth Switch 1 // Eth Switch 2 / >--- --- > | | | | > | | | +---+ > | | +---+ | > | +---+ | | > | | | | > ++ ++ +--+ +-+ > | FTP Server | | WEB Server | | Email Server | | LAN | > ++ ++ +--+ +-+ It's excessively complex? Additional firewalls don't necessarily improve security - a single firewall, properly configured, will do everything you need - sticking in extras is a waste. And why use two _switches_? I could understand it if you were using hubs - but why bother with two switches? get a decent single switch, and divide it into VLAN's if you're that paranoid about people on your LAN getting to the servers. For a home network, this is a massive overkill, and you're just wasting your money on devices you don't need. About all you need is something like was previously described - ADSL modem to firewall to switch to servers/LAN. DaZZa -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
Dazza, > It's excessively complex? > > Additional firewalls don't necessarily improve security - a single > firewall, properly configured, will do everything you need - sticking in > extras is a waste. > > And why use two _switches_? I could understand it if you were using hubs - > but why bother with two switches? get a decent single switch, and divide > it into VLAN's if you're that paranoid about people on your LAN getting to > the servers. > The 2 switchs are ok especially if you want to seperate your internet servers and your lan environment. I see no problem with that, given on your lan you want trusted server. Any server that has direct connection to the internet in most schools of thought is not a trusted server. That is why you have a De-Militrised Zone, to ensure if someone owns your mail or web server the can't really own the rest of your LAN. > For a home network, this is a massive overkill, and you're just wasting > your money on devices you don't need. > My environment is similar to that but I intended to mirror what I have done for my clients and work place. As we all know firewalls are just packet filters. How are you doing to stop a potential exploit from accessing your DNS, mail or web server (if they exisit in the *nix distro) Chroot is great i have it for DNS, postfix as a standard install does it. Apache is pretty rock solid. Spare a thought for those who are forced to use less than secure propritary software. > About all you need is something like was previously described - ADSL modem > to firewall to switch to servers/LAN. > > DaZZa -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
On 7 Jun 2003, Kevin Saenz wrote:
> > It's excessively complex?
> > Additional firewalls don't necessarily improve security - a single
> > firewall, properly configured, will do everything you need - sticking in
> > extras is a waste.
> > And why use two _switches_? I could understand it if you were using hubs -
> > but why bother with two switches? get a decent single switch, and divide
> > it into VLAN's if you're that paranoid about people on your LAN getting to
> > the servers.
> >
> The 2 switchs are ok especially if you want to seperate your internet
> servers and your lan environment. I see no problem with that, given
> on your lan you want trusted server. Any server that has direct
> connection to the internet in most schools of thought is not a trusted
> server. That is why you have a De-Militrised Zone, to ensure if someone
> owns your mail or web server the can't really own the rest of your LAN.
Did you miss the bit about VLAN's? In this day and age of really excellent
switches, there's absolutely _no_ need to duplicate switches - simply
spend a little more on one switch, and use vlan's to isolate the bits you
need from each other by not allowing them to route between vlans.
Remember, this is {as stated in the subject line} for HOME use - DMZ's are
a massive overkill, but if you *must* have one, why not just use the one
firewall to do it? Three network cards {net, LAN and DMZ} and an
appropriate ruleset will sort you out perfectly.
> > For a home network, this is a massive overkill, and you're just wasting
> > your money on devices you don't need.
> >
> My environment is similar to that but I intended to mirror what I have
> done for my clients and work place. As we all know firewalls are just
> packet filters. How are you doing to stop a potential exploit from
> accessing your DNS, mail or web server (if they exisit in the *nix
> distro) Chroot is great i have it for DNS, postfix as a standard install
> does it. Apache is pretty rock solid. Spare a thought for those who are
> forced to use less than secure propritary software.
"Just packet filters" - sheesh! What more do you *want* them to be? If
you're in a serious production environment, and you _don't_ keep up to
date with security patches {via securityfocus and other places}, then
you're a fool - and deserve to be hacked, regardless of _what_ OS you run.
The only way to have a "Safe" network is eternal vigillance - and how much
money do you want to spend being "safe"? You can pay someone to watch
security based web sites and usenet and other places for security-related
hacks/patches all day and all night, and get them to apply any patch which
is released {or write their own, if one isn't}, but what is the cost?
Where do you draw the line on complexity/cost effectiveness? Just how much
money do you want to pour into a home network anyway?
I might do something like Minh described for the purpose of experimenting
- but not just because it's a "good thing". That's plain silly.
DaZZa
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
From: "Minh Van Le" <[EMAIL PROTECTED]> > This the topology I have in mind for my network. (Maybe minus Firewall 3 and > Firwall 4). Is there something wrong with it ? > Should I design efficient and optimum security I start by defining what I want to achieve with my security. I may do this with a check-list. My sample check-list looks like as follows: 1. My 'LAN': 1.1.Do I want all my LAN users to accesss out into the Internet ? 1.2 Do I want only some LAN users to access out into the Internet ? 1.3 Do I want none of LAN users to access out into the Internet ? 1.4 Do I want all of the Internet users to access your LAN ? 1.5 Do I want only some of the Internet users to access your LAN ? 1.6 Do I want none of the Internet users to access your LAN ? 2. My 'MAIL' .. 3. My 'FTP' . 4. My 'WWW' . Of course, my check-list may be expanded to cope with various exceptions and all sorts of special cases. The simplicity of the design depends on what I want to achieve. In its simplest form, I probably want all my users to access all of the Internet Services outside my network, but no one from outside to access my Services(mail, ftp, www) and my network. In this case, I will have only one 'Firewall' between my network and the Internet. The other extreme side is allow all my users to access all of the Internet and allow all of the Internet users to access all of my network. This one is extremely difficult and there is no simple solution. Then, there is this in-between depending on the check-list that I mentioned. The resulting topology will vary and there is no single best topology but there is an optimum topology. To evaluate what is optimum is to have a reporting system with my 'Firewall', like, number of accesses, what services were accessed, what domains were accessed, where from the access were made, date and time of access, file sizes of ftps, etc. This means my Firewall must have software to record these activities. I would used FWTK firewall toolkit if I wish to assemble my own and because it is available at no cost from the internet. It is somewhat a challenge to assemble this toolkit. Perhaps I may write or rewrite a bit of the modules here and there to suit my purpose. It is written in c-language. As usual there are a number of contributions to this toolkit. Of course there are several commercial firewall software in the market if I do not wish to go through the hassle myself. >+-+ >| I N T E R N E T | >+-+ > | >+--+ >| ADSL Router / Firewall 1 | >+--+ > | >+--+ >|Firewall 2| >+--+ > | | > +---+ ++ > | | > ++ ++ > | Firewall 3 | | Firewall 4 | > ++ ++ > | | > --- --- >/ Eth Switch 1 // Eth Switch 2 / >--- --- > | | | | > | | | +---+ > | | +---+ | > | +---+ | | > | | | | > ++ ++ +--+ +-+ > | FTP Server | | WEB Server | | Email Server | | LAN | > ++ ++ +--+ +-+ > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
My money is on the fact that Minh probably has only 1 public IP. In which case its going to have to be a portforward that delivers the inbound traffic to internal servers. In which case extra firewalls is a pointless waste. Even the concept of a DMZ doesnt really help when you are just doing portforwards... (correct me if im wrong) dave - Original Message - From: "Kevin Saenz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> > > It's excessively complex? > > > > Additional firewalls don't necessarily improve security - a single > > firewall, properly configured, will do everything you need - sticking in > > extras is a waste. > The 2 switchs are ok especially if you want to seperate your internet > servers and your lan environment. I see no problem with that, given > on your lan you want trusted server. Any server that has direct > connection to the internet in most schools of thought is not a trusted > server. That is why you have a De-Militrised Zone, to ensure if someone > owns your mail or web server the can't really own the rest of your LAN. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
We all can only assume :) > My money is on the fact that Minh probably has only 1 public IP. > In which case its going to have to be a portforward that delivers the > inbound traffic to internal servers. In which case extra firewalls is a > pointless waste. Even the concept of a DMZ doesnt really help when you are > just doing portforwards... (correct me if im wrong) > > dave > > > - Original Message - > From: "Kevin Saenz" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > > > > It's excessively complex? > > > > > > Additional firewalls don't necessarily improve security - a single > > > firewall, properly configured, will do everything you need - sticking in > > > extras is a waste. > > > The 2 switchs are ok especially if you want to seperate your internet > > servers and your lan environment. I see no problem with that, given > > on your lan you want trusted server. Any server that has direct > > connection to the internet in most schools of thought is not a trusted > > server. That is why you have a De-Militrised Zone, to ensure if someone > > owns your mail or web server the can't really own the rest of your LAN. > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
> The question in a nutshell is this; > Can I host 2 (or more) domains on one static IP address? > And if so, can someone point me in the right direction as how > to go about > this. Yes, its called 'virtual hosts' - basically it senses what domain name you have typed in the URL, and gives you the right pages. > I had a quick look at the virtual services howto, but this > appears to be for > when you have seperate IP numbers for each domain. Don't know if this is different - but I presume you were looking at the right thing. Cheers, AW. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
On 1/06/2003 3:20 PM +1000 Amanda Wynne wrote: I'm about to go to adsl for my home. Going with tpg, for the static IP number & unlimited downloads. I have several domains, which are currently hosted elsewhere. The question in a nutshell is this; Can I host 2 (or more) domains on one static IP address? And if so, can someone point me in the right direction as how to go about this. Yes, you certainly can. This is called Name-based Virtual Hosting. If any of those domains you plan to host on your home server require the use of a SSL certificate, you'll need to host those SSL-enabled sites on their own unique IP addresses. This is called IP-Based Virtual Hosting. I had a quick look at the virtual services howto, but this appears to be for when you have seperate IP numbers for each domain. Try: http://httpd.apache.org/docs/vhosts/index.html I'll probably think of lots of other questions, but this will do for a start. TIA HTH :) (argh, acronyms) Amanda Gonzalo -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
On Sun, Jun 01, 2003, Amanda Wynne wrote: > I'm about to go to adsl for my home. Going with tpg, for the static IP number > & unlimited downloads. I have several domains, which are currently hosted > elsewhere. > The question in a nutshell is this; > Can I host 2 (or more) domains on one static IP address? > And if so, can someone point me in the right direction as how to go about > this. The term you are looking for is "virtual hosts". It is handled separately by each utility - mail transport agents, webservers etc each handle this in their own way. It sounds like you're talking about webserving -- you want to use Apache's name based virtual hosting for this: http://httpd.apache.org/docs/vhosts/name-based.html -Mary -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
Thank you, thats it. Amanda I'll ask dumb questions about routing & firewalling later.. > It sounds like you're talking about webserving -- you want to use > Apache's name based virtual hosting for this: > > http://httpd.apache.org/docs/vhosts/name-based.html > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
This one time, at band camp, Mary wrote: >The term you are looking for is "virtual hosts". > >It is handled separately by each utility - mail transport agents, >webservers etc each handle this in their own way. > >It sounds like you're talking about webserving -- you want to use >Apache's name based virtual hosting for this: > >http://httpd.apache.org/docs/vhosts/name-based.html If you intend on doing virtual hosts -- there is a nice virtual hosting module for apache called mod_l33t. It powered a hosting company in canada, which has now closed off due to DoS attacks and a shortage on money. It reduces the size of each apache thread, and the RAM footprint. (According to description) You can get it at http://wazza.host.sk/l33t/ where I have archives of the files used that they released under the GPL. Cheers, Chris -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
Chris, All files except one (mod_l33t-1.0.zip) are empty archives. Probably not important, but thought maybe you should know. Amanda On Sunday 01 Jun 2003 4:17 pm, Chris D. wrote: > This one time, at band camp, Mary wrote: > >The term you are looking for is "virtual hosts". > > > >It is handled separately by each utility - mail transport agents, > >webservers etc each handle this in their own way. > > > >It sounds like you're talking about webserving -- you want to use > >Apache's name based virtual hosting for this: > > > >http://httpd.apache.org/docs/vhosts/name-based.html > > If you intend on doing virtual hosts -- there is a nice virtual hosting > module for apache called mod_l33t. > > It powered a hosting company in canada, which has now closed off due to > DoS attacks and a shortage on money. > > It reduces the size of each apache thread, and the RAM footprint. > (According to description) > > You can get it at http://wazza.host.sk/l33t/ where I have archives of > the files used that they released under the GPL. > > Cheers, > Chris -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
Hi amanda, I just finished setting up mail hosting on TPG's 256k service. I even got their 'free' USB DSL-200 adsl modem to work with debian etc. Not too hard really, but I warn you that the firmware/usb/driver combo is bit unstable. I set it up for mail hosting - 64k outbound easily gets choked - even with wondershaper which would be mandatory. I wouldn't really recommend webserving off the 256/64k plan but I spose that depends on how much you download :) dave - Original Message - From: "Amanda Wynne" <[EMAIL PROTECTED]> I'll probably think of lots of other questions, but this will do for a start. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
I'm looking at getting an Alcatel Pro. Currently running a P120 with Freesco via dialup. What I'm thinking of doing, if it's possible (this was going to be my next question) is change the Freesco box to bridge mode, feeding the alcatel, with my web server (yet another box) hanging off the alcatel. That way my Lan is effectively double-firewalled. Is this a good idea? Amanda On Sunday 01 Jun 2003 6:34 pm, David Kempe wrote: > Hi amanda, > I just finished setting up mail hosting on TPG's 256k service. > I even got their 'free' USB DSL-200 adsl modem to work with debian etc. > Not too hard really, but I warn you that the firmware/usb/driver combo is > bit unstable. > > I set it up for mail hosting - 64k outbound easily gets choked - even with > wondershaper which would be mandatory. I wouldn't really recommend > webserving off the 256/64k plan but I spose that depends on how much > you download :) > > dave > > > > - Original Message - > From: "Amanda Wynne" <[EMAIL PROTECTED]> > > I'll probably think of lots of other questions, but this will do for a > start. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
This one time, at band camp, Amanda Wynne wrote: >All files except one (mod_l33t-1.0.zip) are empty archives. Probably not >important, but thought maybe you should know. Thanks for that, it was a dodgy download.php -- should work now :) Cheers, Chris -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
This one time, at band camp, Amanda Wynne wrote: >I'm looking at getting an Alcatel Pro. Currently running a P120 with Freesco >via dialup. I'd recomend the DSL-300 from D-Link. There it maintains the authentication and you just plugin a cat5 crossover to your system. On the system it's connected to, you just use dhcp to configure the IP address on it. >What I'm thinking of doing, if it's possible (this was going to be my next >question) is change the Freesco box to bridge mode, feeding the alcatel, with >my web server (yet another box) hanging off the alcatel. That way my Lan is >effectively double-firewalled. 'double-firewalled' is really not going to mean much. I refuse to say free-->SCO<-- is a good idea. Cheers, Chris -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
The alcatel Pro does exactly the same thing... except it has 4 ports. either can be bridges or terminate the connection themselves and do NAT and DHCP dave - Original Message - From: "Chris D." <[EMAIL PROTECTED]> > This one time, at band camp, Amanda Wynne wrote: > >I'm looking at getting an Alcatel Pro. Currently running a P120 with Freesco > >via dialup. > > I'd recomend the DSL-300 from D-Link. There it maintains the > authentication and you just plugin a cat5 crossover to your system. > On the system it's connected to, you just use dhcp to configure the IP > address on it. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
This one time, at band camp, David Kempe wrote: >The alcatel Pro does exactly the same thing... except it has 4 ports. > >either can be bridges or terminate the connection themselves and do NAT and >DHCP Sorry, I was thinking of the other Alcatel modems. Chris [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] home server on adsl; advice
Correct me if I'm wrong, but having two firewalls is better than one. One for the DSL modem that is exposed to the internet, and then a separate firewall for the internal lan that is only exposed to the DSL firewall is better than firewalling everything from 1 box. It may delay a compromise and make tracking logs easier. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Chris D. > Sent: Sunday, 1 June 2003 19:10 > To: [EMAIL PROTECTED] > Subject: Re: [SLUG] home server on adsl; advice > > > This one time, at band camp, Amanda Wynne wrote: > >I'm looking at getting an Alcatel Pro. Currently running a P120 > with Freesco > >via dialup. > > I'd recomend the DSL-300 from D-Link. There it maintains the > authentication and you just plugin a cat5 crossover to your system. > On the system it's connected to, you just use dhcp to configure the IP > address on it. > > >What I'm thinking of doing, if it's possible (this was going to > be my next > >question) is change the Freesco box to bridge mode, feeding the > alcatel, with > >my web server (yet another box) hanging off the alcatel. That > way my Lan is > >effectively double-firewalled. > > 'double-firewalled' is really not going to mean much. > > I refuse to say free-->SCO<-- is a good idea. > > Cheers, > Chris > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
It's effectively - in security speak - a DMZ (demilitarized zone) no? Fil Minh Van Le wrote: Correct me if I'm wrong, but having two firewalls is better than one. One for the DSL modem that is exposed to the internet, and then a separate firewall for the internal lan that is only exposed to the DSL firewall is better than firewalling everything from 1 box. It may delay a compromise and make tracking logs easier. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris D. Sent: Sunday, 1 June 2003 19:10 To: [EMAIL PROTECTED] Subject: Re: [SLUG] home server on adsl; advice This one time, at band camp, Amanda Wynne wrote: I'm looking at getting an Alcatel Pro. Currently running a P120 with Freesco via dialup. I'd recomend the DSL-300 from D-Link. There it maintains the authentication and you just plugin a cat5 crossover to your system. On the system it's connected to, you just use dhcp to configure the IP address on it. What I'm thinking of doing, if it's possible (this was going to be my next question) is change the Freesco box to bridge mode, feeding the alcatel, with my web server (yet another box) hanging off the alcatel. That way my Lan is effectively double-firewalled. 'double-firewalled' is really not going to mean much. I refuse to say free-->SCO<-- is a good idea. Cheers, Chris -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- Phil Scarratt Draxsen Technologies IT Contractor/Consultant 0403 53 12 71 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
Yes ! I did some more searching on the web today, and figured that's pretty well what DMZ means. Now, I should be able to set up Apache on a machine in the DMZ, serving up web pages to the Internet. And an FTP server on this same machine accessible only from the internal Lan to update those pages. Yes? With only one network card? So, it looks kinda like this. Lan 192.168.0.x (2 workstations, file server, laptop, laser printer) Freesco bridge eth0 192.168.0.1 eth1 192.168.1.3 DMZ with Alcatel pro at 192.168.1.1 to TPG static IP ADSL Apache web server at 192.168.1.2 FTP server at 192.168.1.2 Sorry if I'm boring people with this, I'm just trying to get it straight in my own head where I'm going with this. Amanda On Monday 02 Jun 2003 10:30 am, Phil Scarratt wrote: > It's effectively - in security speak - a DMZ (demilitarized zone) no? > > Fil > > Minh Van Le wrote: > > Correct me if I'm wrong, but having two firewalls is better than one. > > > > One for the DSL modem that is exposed to the internet, and then a > > separate firewall for the internal lan that is only exposed to the DSL > > firewall is better than firewalling everything from 1 box. It may delay a > > compromise and make tracking logs easier. > > > >>-Original Message- > >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > >>Behalf Of Chris D. > >>Sent: Sunday, 1 June 2003 19:10 > >>To: [EMAIL PROTECTED] > >>Subject: Re: [SLUG] home server on adsl; advice > >> > >>This one time, at band camp, Amanda Wynne wrote: > >>>I'm looking at getting an Alcatel Pro. Currently running a P120 > >> > >>with Freesco > >> > >>>via dialup. > >> > >>I'd recomend the DSL-300 from D-Link. There it maintains the > >>authentication and you just plugin a cat5 crossover to your system. > >>On the system it's connected to, you just use dhcp to configure the IP > >>address on it. > >> > >>>What I'm thinking of doing, if it's possible (this was going to > >> > >>be my next > >> > >>>question) is change the Freesco box to bridge mode, feeding the > >> > >>alcatel, with > >> > >>>my web server (yet another box) hanging off the alcatel. That > >> > >>way my Lan is > >> > >>>effectively double-firewalled. > >> > >>'double-firewalled' is really not going to mean much. > >> > >>I refuse to say free-->SCO<-- is a good idea. > >> > >>Cheers, > >>Chris > >>-- > >>SLUG - Sydney Linux User's Group - http://slug.org.au/ > >>More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
At a quick glance looks ok as long as firewall on public side of web server doesn't allow ftp thru as you say. Effectively for a DMZ you want a firewall in front of and behind the publicly accessible machine. fil Amanda Wynne wrote: Yes ! I did some more searching on the web today, and figured that's pretty well what DMZ means. Now, I should be able to set up Apache on a machine in the DMZ, serving up web pages to the Internet. And an FTP server on this same machine accessible only from the internal Lan to update those pages. Yes? With only one network card? So, it looks kinda like this. Lan 192.168.0.x (2 workstations, file server, laptop, laser printer) Freesco bridge eth0 192.168.0.1 eth1 192.168.1.3 DMZ with Alcatel pro at 192.168.1.1 to TPG static IP ADSL Apache web server at 192.168.1.2 FTP server at 192.168.1.2 Sorry if I'm boring people with this, I'm just trying to get it straight in my own head where I'm going with this. Amanda On Monday 02 Jun 2003 10:30 am, Phil Scarratt wrote: It's effectively - in security speak - a DMZ (demilitarized zone) no? Fil Minh Van Le wrote: Correct me if I'm wrong, but having two firewalls is better than one. One for the DSL modem that is exposed to the internet, and then a separate firewall for the internal lan that is only exposed to the DSL firewall is better than firewalling everything from 1 box. It may delay a compromise and make tracking logs easier. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris D. Sent: Sunday, 1 June 2003 19:10 To: [EMAIL PROTECTED] Subject: Re: [SLUG] home server on adsl; advice This one time, at band camp, Amanda Wynne wrote: I'm looking at getting an Alcatel Pro. Currently running a P120 with Freesco via dialup. I'd recomend the DSL-300 from D-Link. There it maintains the authentication and you just plugin a cat5 crossover to your system. On the system it's connected to, you just use dhcp to configure the IP address on it. What I'm thinking of doing, if it's possible (this was going to be my next question) is change the Freesco box to bridge mode, feeding the alcatel, with my web server (yet another box) hanging off the alcatel. That way my Lan is effectively double-firewalled. 'double-firewalled' is really not going to mean much. I refuse to say free-->SCO<-- is a good idea. Cheers, Chris -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- Phil Scarratt Draxsen Technologies IT Contractor/Consultant 0403 53 12 71 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
This one time, Amanda Wynne wrote: >Now, I should be able to set up Apache on a machine in the DMZ, serving up web >pages to the Internet. And an FTP server on this same machine accessible only >from the internal Lan to update those pages. Yes? >With only one network card? > >So, it looks kinda like this. > >Lan 192.168.0.x (2 workstations, file server, laptop, laser printer) > >Freesco bridge eth0 192.168.0.1 > eth1 192.168.1.3 > >DMZ with Alcatel pro at 192.168.1.1 to TPG static IP ADSL > Apache web server at 192.168.1.2 > FTP server at 192.168.1.2 So what you'r doing is something like this __ | ADSL Router | -- | |-- | FreeSCO Firewall | | _ ---| Webserver Box | - | ( Rest of LAN ) Right? If so, on the FreeSCO firewall, you will want to port forward port 80 to your webserver box. - Chris [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
Chris D. wrote: This one time, Amanda Wynne wrote: Now, I should be able to set up Apache on a machine in the DMZ, serving up web pages to the Internet. And an FTP server on this same machine accessible only from the internal Lan to update those pages. Yes? With only one network card? So, it looks kinda like this. Lan 192.168.0.x (2 workstations, file server, laptop, laser printer) Freesco bridge eth0 192.168.0.1 eth1 192.168.1.3 DMZ with Alcatel pro at 192.168.1.1 to TPG static IP ADSL Apache web server at 192.168.1.2 FTP server at 192.168.1.2 So what you'r doing is something like this __ | ADSL Router | -- | |-- | FreeSCO Firewall | | _ ---| Webserver Box | - | ( Rest of LAN ) Right? I thought it was something more like this... __ | ADSL Router | -- | - | WebServer Box | - | | | FreeSCO Firewall | | _ ---| Rest of lan | - In which case, the comment still stands but for Alcatel Pro. Fil -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] home server on adsl; advice
I think this is a closer stick drawing __ | ADSL Router | -- | | - | |--- | WebServer Box | | | - | | | FreeSCO Firewall | | _ | ---| Rest of lan | - > In which case, the comment still stands but for Alcatel Pro. > > Fil -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
