Linux Ubuntu Fileserver (Samba, FTP) & Linux Firewall (M0n0wall, IPcop)

[Jagercola]

I've got an ubuntu server online for file sharing on my home network. Currently, it does Samba and FTP, but may add other stuff later. Instead of having to pay electricity for another computer, is it possible to run m0n0wall or IPcop on the same box? Someone mentioned something like Vmware may allow it, but wanted to know if it was possible.

Thanks

 

[statik213]

i don't see why not, it's just another service.
it's a different stroy if u are trying to serve 100s of users

 

[Nothinman]

Why not just setup netfilter to do what you want?

 

[phisrow]

It would be fairly tricky to get two diffirent distros running on the same machine in any useful way(Ok, sure, you could have your fileserver also running a VM with M0n0wall inside and muck around with bridging and so forth). It would be quite easy, though to have Samba, an FTP daemon, and a firewall setup all on the same machine.

 

[drag]

Xen is pretty good for this sort of thing. The scripts that come with the software do bridging automaticly thru scripts and whatnot.

On a single CPU machine with a gig of ram it's pretty easy to run something like 4 OS installs simitaniously and have it all be efficient and easy to deal with. I run around 6 debian installs on my server to simulate a 'real world' type setup with divisions of control and such.

Although I'd like to point out that a firewall is fairly useless if you carefully control what ports are allowed in and out of your system.. when you do that then a firewall is redundant. Mostly you'd just want to have a simple netfilter firewall in case you accidently install some services or misconfigure something without fully realising it. There are lots of stuff like scripts or programs to help you setup something like that.

 

[Jagercola]

So you guys would recommend just sticking netfilter/iptables on my fileserver? Does iptables give you the functionality of something like m0n0wall?

 

[phisrow]

I don't know enough about the dirty details of *nix/BSD firewalling to address the specifics(and Linux vs. BSD firewall debates sometimes get a touch touchy); but the basic abilities will be the same. m0n0wall is pretty damn slick; but most of its really slick elements derive from its being a seperate distro; the unusual config file, boot setup, heavily integrated admin tools, good compatibility with embedded boards, etc. Unless you have something pretty heavyweight, netfilter/iptables should be able to do the same sort of stuff, although the config tools will be diffirent.

You certainly could stick m0n0wall in a VM on your fileserver, and bridge the appropriate LAN and WAN ports in the VM with the physical LAN and WAN ports on the server; but it somehow feels a little weird to bring in that much overhead when a perfectly good setup exists right in the host kernel.

 

[drag]

Originally posted by: Jagercola
So you guys would recommend just sticking netfilter/iptables on my fileserver? Does iptables give you the functionality of something like m0n0wall?

Well it's always better to have a seperate router/firewall. But if you only want to expend the resources for a single machine then iptables stuff is more then adiquate for a firewall on the fileserver. The default Linux kernel you get with your system is capable of very complex networking capabilities out of the box.

One major reason you'd use something like IPcop is that firewall routing stuff can be complex and error prone and IPcop/Monowall would provide sane defaults and some management features that a more generic firewall wouldn't provide.

Another major reason you want a seperate firewall router is that the less things you have on the fileserver the less likely it's going to get hacked. Security and such is a layered approach and part of the equation is how much code your running on a single machine. Statisticly speaking the more software your running the more vunerable you are. So you use seperate roles on seperate machines to reduce the likelihood of any single machine getting violated and if one machine gets hacked it's easier to isolate the problem.

That's why people shy away from running a GUI on a file server and shy away from running fileservers from desktop to desktop.

IPCop itself is a iptables thing.. it's Linux and iptables is what you use for it's netfilter/routing stuff along with some bridging utilities. The major difference for Monowall is that it's based on FreeBSD and uses FreeBSD's routing stuff instead. Now with OpenBSD their stuff is high quality and is suppose to be much easier to use then Linux's stuff.. but Linux's stuff is going to probably be more feature-full, but I don't know anything about FreeBSD stuff.

If you have your extended source list for Ubuntu's repositories setup you can do a apt-cache search firewall and find lots of stuff.. (although I'd recommend Debian Stable for server use.. it's software is mostly the same as Ubuntu's but it's better supported and updates are going to be less often).

For instance on my Debian Sid machine I can quickly find things like Shorewall, Firehol, Zorp. Also there is a handy program called 'Bastille' that not only helps you set higher-level security settings for many software packages it will include a default firewall. There are also dozens of other type things.

Take a look at those. I can't recommend which one is more ideal though.

 

[Nothinman]

Does iptables give you the functionality of something like m0n0wall?

Technically it'll probably give you more, netfilter has a lot of modules that allow you do all kinds of weird things.

 

[htne]

Have you considered ClarkConnect? Everything you want in one distribution, and free for home use. The same is true for Astaro.

 

[n0cmonkey]

Originally posted by: htne
Have you considered ClarkConnect? Everything you want in one distribution, and free for home use. The same is true for Astaro.

He can do it all with Ubuntu too. :shocked:

 

[EatSpam]

I wouldn't. I like my firewall on its own, seperate machine.

If its the power bill you are concerned about, get an EPIA PD6000 motherboard and a 512mb IDE flash module. The PD6000 has a 600mhz Eden CPU and 2 10/100 network interfaces onboard. I use it for my OpenBSD firewall. Very low power consumption and more than fast enough for a low end firewall.

 

[n0cmonkey]

Originally posted by: EatSpam
I wouldn't. I like my firewall on its own, seperate machine.

If its the power bill you are concerned about, get an EPIA PD6000 motherboard and a 512mb IDE flash module. The PD6000 has a 600mhz Eden CPU and 2 10/100 network interfaces onboard. I use it for my OpenBSD firewall. Very low power consumption and more than fast enough for a low end firewall.

I'm waiting for the dual VIA C3. 😛

 

[groovin]

in terms of pure firewall (filtering rulesets), netfilter/iptables gives you more options IMO. but m0n0wall is the OS for a dedicated fw type appliance... so u cannot run m0n0wall on the same box as say a file server. but m0n0wall is pretty damn easy to use and gives you lots of goodies like dhcp, vpn, etc. i would say get a seperate box to be your firewall... on those embedded systems power consumption is that much. openwrt on a linksys looks pretty cool too.

 

[EatSpam]

Originally posted by: n0cmonkey

Originally posted by: EatSpam
I wouldn't. I like my firewall on its own, seperate machine.

If its the power bill you are concerned about, get an EPIA PD6000 motherboard and a 512mb IDE flash module. The PD6000 has a 600mhz Eden CPU and 2 10/100 network interfaces onboard. I use it for my OpenBSD firewall. Very low power consumption and more than fast enough for a low end firewall.

I'm waiting for the dual VIA C3. 😛

Me too. I have one on order with Servercase.com... hopefully I have it by next week. I'm migrating my Exchange/Web server off of a Prescott P4. That'll save about $10/month on the power bill.