On Wed, 2003-03-19 at 23:01, Stefan Neufeind wrote:
> What I find astonishing: Let's say you are running a webserver, maybe
> mailserver and a DNS on a server. What rules do you want to apply to
> the packets etc.?
I guess plain iptables should be enough for single PC or SOHO network -
you can do pretty much everything.
What I have not investigated is reporting - as iptables has no builtin
(canonical) fancy reporting software, you'd rely on add-on software, and
I don't know what's available there.
To the original poster: Do it all with iptables.
Set it up to block everything and then selectively open ports until
everything works as desired. Depending on the applications it may be a
good idea to REJECT auth (identd) packets instead of dropping them -
some applications have long timeouts.
Server hardware: a 486/25 with 36M RAM should be able to bear the load
you're describing (it did for me, for several years, and still does for
the people now living there, including also routing and squid proxy for
the 3 computers behind it. The only thing is that you'd want to avoid
compiling kernels on that machine :-)
To make your life as care-free as possible: install woody, not testing -
you don't really need the latest software, do you - and subscribe to the
security announcement list. Think about partitioning your server - log
files at least, and perhaps mail spool, too, should go into a partition
of their own, and use some softwrae to monitor disk useage (there's
software for this, but there's also the method of just calling 'df' from
a cron script). Use logcheck or some similar software - once you've
tuned it to your needs, you'll have almost no mail during regular
operation. pflogsumm or similar could be interesting if you want an
overview of what your mailserver is doing, it'll not react fast enough
if your server is ever abused, though. For the website, running webalize
or somesuch is interesting, I have made the experience (with church
authorities, as it happens) that the not so tech-savvy are mightily
impressed if you can show them that 4 or 5 actual people really look at
the web page.
cheers
-- vbi
--
The prablem with Manoca is thot it's difficult ta tell the difference
between o cauple af the letters.
-- Jacob W. Haller on alt.religion.kibology
Attachment:
signature.asc
Description: This is a digitally signed message part