One last ? about a Unix Box

[orion7144]

Here is a diagram that I think is how I need to set things up hardware wise.

1. How secure is the unix box since it is infront of the router?
2. Will this have any affect on the internet speed? i.e. adding the Unix box in between the router and cable modem.
3. Will I need to set up some kind of proxy on the unix box to alow the other users to access the internet?
4. Is it posible to use the unix box as a web server/firewall/ftp server all at the same time?
5. Anything I am missing?

Thanks.

 

[Garion]

1: Security is *totally* up to you. It's all about what you install and how you install and maintain it. Unix can be one of the most secure OSes around, or one of the worst.

2: Yes, it will have a slight amount of impact on the speed. Larger impact, however, will be on the applications and configurations. If you put a dual-NIC box between any two networks, that box has to support all the protocols you want to use. A real pain.

3: Yep. Two NIC's does not automatically mean forwarding, etc. You have to have something on it to make it do so. Either a full proxy, or a firewall services running NAT. The latter is much easier.

4: Yes, you can run all those services at once.

5: Yeah. Why are you doing this? You'd be *much* better off NOT to have the Unix box between your router and your PC. Even if you do install a proxy server (like Squid) on it, you're still going to be causing problems and making life difficult on yourself. You'd be much better off to either buy two static IP-s (one for the router, one for the Unix box) and not try to run the router through the unix box or just put your unix box behind your router and setup your port forwarding to the services you need.

Trust me on this - Let the router do it's job. There's no real need to put a Unix box out there. You'll be amazed at how many apps will break behind a proxy.

- G

 

[orion7144]

But, wouldn't it be a pita to set up all of the port forwarding in the router? Wouldn't it be easier to just run an open proxy of some sort for the other 3 pc's to get to the net?

 

[skyking]

I use a unix box for a router/firewall. It can forward ports, and I can set up different lans using 3rd, 4th NICs. If you want to set up a unix machine as a firewall/router, that will work fine. It is not a good idea to have the same machine be your webserver, however. Easy enough to build another low power machine to do that.

 

[JackMDS]

The Content of the Following Links Might Help:

Linux Router.

Install the latest Distro of Mandrake the links bellow are referenced as a good guide.

Installing Mandrake8.0: a Newbie's Guide to Freedom.

Mandrake 9.0

How To Network Mandrake 9.0 to Windows XP.

Linux-Firewall-Tools


Linux Router.

Install the latest Distro of Mandrake the links bellow are referenced as a good guide.

Installing Mandrake8.0: a Newbie's Guide to Freedom.

Mandrake 9.0

How To Network Mandrake 9.0 to Windows XP.

Linux-Firewall-Tools

A different approach is taken by MikroTik (specializing in Wireless)

They offer all in one propriety package based on Linux.

While the professional is not free, they offer a functional demo that will work with max. of 4 computers.

If you have 4 or less computers it worth given it a try.

MikroTik - RouterOS Software.

 

[Buddha Bart]

Do this - Utilizing the routing, nat-ing, firewalling, dhcp-ing, and dns-ing abilities available on pretty much any *nix. If you know what you're doing, this is the way to go. It gives you tons of options and flexibility. If you don't know what you're doing, this is a bad way to go. It leaves a potentially insecure *nix machine out in the raw, and means no interent for you untill you fix things.

Or this - this way you use the built in routing, nat-ing, and dhcp-ing of the router and don't have to worry about any of it. The only thing you would need to do is forward specific ports to your *nix machine. FTP can get wacky, so read up on running an ftp server behind your specific router.

Don't put the *nix out in front of the router like that. Thats just awkward.

bart

 

[Soybomb]

No matter what you decide to do your firewall should be a firewall. Don't have any services running on it or you've just made a security hole in your defensive structure. I would favor putting the box behind the router!

 

[chsh1ca]

Originally posted by: Soybomb
No matter what you decide to do your firewall should be a firewall. Don't have any services running on it or you've just made a security hole in your defensive structure. I would favor putting the box behind the router!

Some holes ARE worth living with for remote administration purposes. SSHd is a good example. Ideally, we would all like to run the firewall with no system functioning otherwise, but it's impractical at best to administer it, especially if you want to use logging of any sort.

That being said, SSH is a far cry from a Webserver in terms of access openness.

 

[orion7144]

O.k I see the point of putting it behind the router, however I would have to open ports on the router to alow the ?nix box to ack as a webserver. Correct? I would be using it for web and mail server.

 

[Soybomb]

That being said, SSH is a far cry from a Webserver in terms of access openness

Really, I sure feel like there have been openssh vulnerabilities lately than apache vulnerabilities 😀 I don't see a need to have ssh accessable to the outside world though, do you really login from outside your lan that much to change firewall rules? If you don't trust your lan allow only from certain internal addresses even. 😀 Logs get emailed or go to another machine which might be preferable anyway.

Yup just forward port 80, 443, 25, 110, 143 and you should have http, https, smtp, pop, and imap.