network setup question

[Kaido]

If you were to set up a LAN in your home and wanted to run a Linux file server/firewall, what's the best way to do it? Would you go modem -> linux box -> router? Or perhaps modem -> linux box -> switch?

Or would it be safer to put the file server inside the network, instead of having it before the router/switch as a firewall/file server?

 

[n0cmonkey]

The firewall and file server should be 2 different machines.

Internet -> Linux firewall -> switch

 

[Kaido]

Originally posted by: n0cmonkey
The firewall and file server should be 2 different machines.

Internet -> Linux firewall -> switch

Any particular reason?

 

[n0cmonkey]

Originally posted by: Kaido

Originally posted by: n0cmonkey
The firewall and file server should be 2 different machines.

Internet -> Linux firewall -> switch

Any particular reason?

Because adding roles to the system will increase the risks and possible avenues of attack. Split them up, and there is less chance of bad things happening.

If you do it right (be very particular with iptables, tcpwrappers, and other technologies and making sure the listening processes only listen on internal interfaces) you can get away with doubling up duties at home. It's still frowned upon though.

 

[Kaido]

Originally posted by: n0cmonkey

Originally posted by: Kaido

Originally posted by: n0cmonkey
The firewall and file server should be 2 different machines.

Internet -> Linux firewall -> switch

Any particular reason?

Because adding roles to the system will increase the risks and possible avenues of attack. Split them up, and there is less chance of bad things happening.

If you do it right (be very particular with iptables, tcpwrappers, and other technologies and making sure the listening processes only listen on internal interfaces) you can get away with doubling up duties at home. It's still frowned upon though.

Hmm. It seems easier just to buy a dedicated piece of hardware. Netgear sells a nice firewall switch with VPN for like $100. Maybe I should just invest in that and do the server seperately, inside the network.

 

[Brazen]

Originally posted by: Kaido

Originally posted by: n0cmonkey

Originally posted by: Kaido

Originally posted by: n0cmonkey
The firewall and file server should be 2 different machines.

Internet -> Linux firewall -> switch

Any particular reason?

Because adding roles to the system will increase the risks and possible avenues of attack. Split them up, and there is less chance of bad things happening.

If you do it right (be very particular with iptables, tcpwrappers, and other technologies and making sure the listening processes only listen on internal interfaces) you can get away with doubling up duties at home. It's still frowned upon though.

Hmm. It seems easier just to buy a dedicated piece of hardware. Netgear sells a nice firewall switch with VPN for like $100. Maybe I should just invest in that and do the server seperately, inside the network.

Easier, yes. But you COULD buy a computer for cheaper than that on ebay, install linux on it and have a much more powerful firewall/router and VPN support. Then get another cheap computer off ebay, put a beefy harddrive in it, install linux, and use as a file server.

 

[skyking]

I've used linux firewall/router boxes with success, but one thing makes them inferior to a hardware device, in my opinion. The hard drive can and will fail at the most inopportune time.
You can run them off of some flash drive, but that kills the economy argument.
Anymore, I tend to use the solid state devices at the gateway.
n0c is absolutely right though: Bad practice to double up duties with the gateway box. Inside the network, multitasking a unix box is fine.

 

[n0cmonkey]

Originally posted by: skyking
I've used linux firewall/router boxes with success, but one thing makes them inferior to a hardware device, in my opinion. The hard drive can and will fail at the most inopportune time.
You can run them off of some flash drive, but that kills the economy argument.
Anymore, I tend to use the solid state devices at the gateway.
n0c is absolutely right though: Bad practice to double up duties with the gateway box. Inside the network, multitasking a unix box is fine.

Compact flash isn't expensive.

 

[nweaver]

in fact, my company has about a dozen old sparc boxes that will boot off CF that you can use, little quite 1U deals that work great, we use them for load balancing with a custom rolled debian distro on them.

 

[wkinney]

When I had a linksys router that kept hanging on me, I use to use my linux server as a firewall/router, with apache, samba and other stuff being used for the LAN as well...
now i have a nice dlink router that is just as configurable as iptables, so i use that instead and put the linux server inside the lan.

i would have to agree with n0cmonkey, if you have a stable, robust hardware router, it doesnt make sense to put the linux server on the edge of the network if that router can perform the same function

 

[n0cmonkey]

Originally posted by: wkinney
When I had a linksys router that kept hanging on me, I use to use my linux server as a firewall/router, with apache, samba and other stuff being used for the LAN as well...
now i have a nice dlink router that is just as configurable as iptables, so i use that instead and put the linux server inside the lan.

i would have to agree with n0cmonkey, if you have a stable, robust hardware router, it doesnt make sense to put the linux server on the edge of the network if that router can perform the same function

Those SOHO routers rarely have the same functionality as a full fledged Linux box, so that isn't what I said at all. 😉