Re: Linux - DNS/WWW/POP

To: Debian User Request Mailing LIst <debian-user@lists.debian.org>
Subject: Re: Linux - DNS/WWW/POP
From: ktb <x.y.f@home.com>
Date: Mon, 29 Jan 2001 16:15:55 -0600
Message-id: <[🔎] 20010129161555.A26178@home.com>
Mail-followup-to: Debian User Request Mailing LIst <debian-user@lists.debian.org>
Reply-to: x.y.f@home.com
In-reply-to: <[🔎] 3A7586F1.69FFC493@informatik.hu-berlin.de>; from rosenfel@informatik.hu-berlin.de on Mon, Jan 29, 2001 at 04:06:25PM +0100
References: <[🔎] 000e01c08a08$230e8720$07a84618@wpek1.mb.wave.home.com> <[🔎] 20010129074101.B22732@home.com> <[🔎] 3A7586F1.69FFC493@informatik.hu-berlin.de>

On Mon, Jan 29, 2001 at 04:06:25PM +0100, Viktor Rosenfeld wrote:
> Hello,
> 
> ktb wrote:
> 
> > > Can I have one Linux box working as my name server, web server, proxy server, mail server, and ftp?
> > >
> > 
> > Yes you can do that.  Where I work the policy is one main service per
> > server for security and performance reasons.  If this box is for home
> 
> A related question:  Can I have a box serve both as a server (DNS, mail,
> proxy, web, ...) for the local network _and_ as a firewall for the local
> network at the same time?
> 
> I will soon have a DSL flat rate and plan to be online all the time. 
> However, to protect my boxen from stupid script kiddies, I want to have
> only one port open to the internet, and that is SSH.  On the other hand
> I want to have all the other ports open on the local net, because I
> don't risk anybody cracking the box, it will only be my roommates.
> 
> So, is this possible?  Only SSH open on one interface and all the rest
> restricted to the local interface?  Does netfilter in 2.4 help?  (I
> haven't read up on it, but I heared, that it's stateful firewalling.)
> 
> The alternative would be having one box serve as a dedicated firewall (I
> figure, my old 486DX/33 with 8MB will do it) and another box serve as a
> local server.  This has the advantage, that, if I screw up and my server
> goes down, I still have internet access.  On the other hand, it's
> another box consuming energy, and I like to avoid that as much as
> possible (for both financial and environmental reasons).
> 
> Thoughts?
> 

What ever services you run you need a port open so the "outside" can
access it.  In other words if you want to run a web server you must have
say, port 80 open.  I use openbsd for a firewall using NAT.  From what
little I have read the new firewall stuff in 2.4 works similar.
"Stateful" is a great thing.  You can set up a default rule to block all
incoming and another to allow any communication from the outside, if you
initiate it.  

What I would do if I were you is set up a three legged network (three
network cards in your firewall).  One card connecting to the outside,
one connecting to a server (dmz) and one to your internal network
(workstation).  Set up your firewall with a default 'deny all' from the
outside.  Then set up rules to let in just the services you want to
offer such as a web server, dns server, etc.  Have these services
redirected by your firewall to your server.  You could leave port 22
open on your firewall for ssh.  So you would have one port open on your
firewall and all other services redirected to your server and still be
able to send and receive mail, surf the web etc.  I think that is pretty
close to what you want.
hth,
kent

-- 
I'd really love ta wana help ya Flanders but... Homer Simpson

Reply to:

Follow-Ups:
- Re: Linux - DNS/WWW/POP
  - From: Viktor Rosenfeld <rosenfel@informatik.hu-berlin.de>

References:
- Linux - DNS/WWW/POP
  - From: "Leonard Leblanc" <l-leblanc@home.com>
- Re: Linux - DNS/WWW/POP
  - From: ktb <x.y.f@home.com>
- Re: Linux - DNS/WWW/POP
  - From: Viktor Rosenfeld <rosenfel@informatik.hu-berlin.de>

Prev by Date: Lots of problems: libc6, RAM not recognised etc.
Next by Date: Re: Fwd: File updates req'd for network(2nd try)
Previous by thread: Re: Linux - DNS/WWW/POP
Next by thread: Re: Linux - DNS/WWW/POP
Index(es):
- Date
- Thread