Public internet server on DSL connection

Hello there!


I'm working at a school, and we want to set up a server and host our
own homepage + some other services such as ftp and mail server
etc. (all of our machines are on linux).

What I can't figure out is how, where and in which sequence to connect
wall plug (DSL connection), server and router/switch.

Right now the router/switch is connected to the wall plug, and the
workstations are connected to the router/switch.

Where would I connect a internet server to? The internet server should
also be the proxy server for the machines, firewall, mail and ftp
server.

We have a fix IP, that should not be a problem.

I'm sorry if I was unable to describe clearly my problem (it's more
like not seeing the forest for the sheer quantity of trees around
me!). I hope you get it, anyway.

Your help is greatly appreciated, thanks!

--
Michael

r-znvy: zvpunry.wryqra jro.qr (chg gur "@" jurer vg svgf...)
ab fcnz cyrnfr

upro wrote on 11.08.2004 16:56:

> Hello there!
>
>
> I'm working at a school, and we want to set up a server and host our
> own homepage + some other services such as ftp and mail server
> etc. (all of our machines are on linux).
>
> What I can't figure out is how, where and in which sequence to connect
> wall plug (DSL connection), server and router/switch.
>
> Right now the router/switch is connected to the wall plug, and the
> workstations are connected to the router/switch.
>
> Where would I connect a internet server to? The internet server should
> also be the proxy server for the machines, firewall, mail and ftp
> server.
[...]

"wall plug"-server-switch-workstations.
Obviously you need two NICs in your server

--
Walter

Sorry, forgot to mention the DSL modem (Doesn't show in your setup either)
"wall plug"-modem-server-switch-workstations

--
Walter

Op Wed, 11 Aug 2004 17:21:48 +0200 schreef Walter Schiessberg:

> Sorry, forgot to mention the DSL modem (Doesn't show in your setup either)
> "wall plug"-modem-server-switch-workstations

The OP's router/switch is now connected to the DSL line. This leads me
to the suspicion that he means a DSL-modem with built-in hub.

For the rest I second your suggestion fully, and would like to add that
it's wise to seperate the firewall functionality from *all* the rest on
a seperate machine (can be any old PC with enough (64Mb) memory).

My own favorite is smoothwall (www.smoothwall.org). It delivers
firewalling, caching DNS, web-proxy, and intrusion detection.

Behind this firewall you distribute your other functions like ftp (if
you must , webserver, mail and whatever.

HTH

--
There's no place like 127.0.0.1
Gerard Wassink http://linux.family.filternet.nl
http://freeware.family.filternet.nl
Linux counter #360967, "In a world without fences, who needs gates?"

Gerard Wassink wrote on 11.08.2004 17:36:

[...]
> For the rest I second your suggestion fully, and would like to add that
> it's wise to seperate the firewall functionality from *all* the rest on
> a seperate machine (can be any old PC with enough (64Mb) memory).
>
> My own favorite is smoothwall (www.smoothwall.org). It delivers
> firewalling, caching DNS, web-proxy, and intrusion detection.
>
> Behind this firewall you distribute your other functions like ftp (if
> you must , webserver, mail and whatever.

Full ACK. Even if I prefer iptables, BIND, squid and whatnot. :-))
And FTP is in most cases replaceable by sftp/scp.

--
Walter

Walter Schiessberg wrote:
> [...]
>
> "wall plug"-server-switch-workstations.
> Obviously you need two NICs in your server

Strictly speaking, no.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Thanks for all the answers, setup with 2 NICs, of course...!

jack <(E-Mail Removed)> writes:

> Walter Schiessberg wrote:
>> [...]
>> "wall plug"-server-switch-workstations.
>> Obviously you need two NICs in your server
>
> Strictly speaking, no.

Uuups - two NICs seemed quite obvious to me, so why do you (Jack) say
NO?

>
>
> Cheers, Jack.

--
Michael

r-znvy: zvpunry.wryqra jro.qr (chg gur "@" jurer vg svgf...)
ab fcnz cyrnfr

upro wrote:
> Thanks for all the answers, setup with 2 NICs, of course...!
>
> jack <(E-Mail Removed)> writes:
>>>Obviously you need two NICs in your server
>>
>>Strictly speaking, no.
>
> Uuups - two NICs seemed quite obvious to me, so why do you (Jack) say
> NO?

Well, first of all, it is definately better to have two NICs in the box,
both for performance and security reasons.

But, in fact, You can do all this with only one NIC, like so:
Put all clients, Your router and the DSL modem on the same physical sub-
net, usually with a hub. Then, configure Your clients to use that router
as the default gateway. On the server, You need to assign one IP to Your
NIC (let's say the dynamic one that You get from Your ISP), plus a pri-
vate one as an alias. The server must act as a masquerading gateway.

What will happen now is that Your clients will ignore all packets that
are to travel between the AC and Your router (the "outside" connection),
and the AC will ignore all packets that are being sent among the local
private subnet. - This really works.

But, again, I'd feel really uncomfortable with this setup. - Bottom
line: Use two NICs for this.

Ah, some more explaination: One obvious disadvantage is that all, local
and masqueraded, traffic uses the same NIC, which will eventually double
its load. The next thing is that You have no physical separation of Your
LAN from the outside world, so in theory, somebody could be able to cap-
ture Your inside traffic.

I saw a really good article somewhere on the web, but unfortunally can't
remember where it was. Perhaps googling might get You there (it was a
French site, IIRC).


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack wrote on 12.08.2004 14:15:

> upro wrote:
>
>> Thanks for all the answers, setup with 2 NICs, of course...!
>>
>> jack <(E-Mail Removed)> writes:
>>
>>>> Obviously you need two NICs in your server
>>>
>>>
>>> Strictly speaking, no.
>>
>>
>> Uuups - two NICs seemed quite obvious to me, so why do you (Jack) say
>> NO?
>
>
> Well, first of all, it is definately better to have two NICs in the box,
> both for performance and security reasons.
>
> But, in fact, You can do all this with only one NIC, like so:
> Put all clients, Your router and the DSL modem on the same physical sub-
> net, usually with a hub. Then, configure Your clients to use that router
> as the default gateway. On the server, You need to assign one IP to Your
> NIC (let's say the dynamic one that You get from Your ISP), plus a pri-
> vate one as an alias. The server must act as a masquerading gateway.
>
[...]

Regarding the costs of NICs nowadays and the hassle it takes to
configure internal and external on one NIC, it seemed obvious to me to
have two NICs. But technically you're correct, of course. :-))

--
Walter

jack <(E-Mail Removed)> writes:

> upro wrote:
>> Thanks for all the answers, setup with 2 NICs, of course...!
>> jack <(E-Mail Removed)> writes:
>>>>Obviously you need two NICs in your server
>>>
>>>Strictly speaking, no.
>> Uuups - two NICs seemed quite obvious to me, so why do you (Jack) say
>> NO?
>
> Well, first of all, it is definately better to have two NICs in the box,
> both for performance and security reasons.
>
> But, in fact, You can do all this with only one NIC, like so:
> Put all clients, Your router and the DSL modem on the same physical sub-
> net, usually with a hub. Then, configure Your clients to use that router
> as the default gateway. On the server, You need to assign one IP to Your
> NIC (let's say the dynamic one that You get from Your ISP), plus a pri-
> vate one as an alias. The server must act as a masquerading gateway.
>
> What will happen now is that Your clients will ignore all packets that
> are to travel between the AC and Your router (the "outside" connection),
> and the AC will ignore all packets that are being sent among the local
> private subnet. - This really works.
>
> But, again, I'd feel really uncomfortable with this setup. - Bottom
> line: Use two NICs for this.
>
> Ah, some more explaination: One obvious disadvantage is that all, local
> and masqueraded, traffic uses the same NIC, which will eventually double
> its load. The next thing is that You have no physical separation of Your
> LAN from the outside world, so in theory, somebody could be able to cap-
> ture Your inside traffic.
>
> I saw a really good article somewhere on the web, but unfortunally can't
> remember where it was. Perhaps googling might get You there (it was a
> French site, IIRC).
>
>
> Cheers, Jack.

Thanks, this is clear to me! I will definitely go for the 2-NIC -
solution. Apart from the security issues it seems easier and less
mistake-prone to configure.

Thanks for helping!

Michael


--
Michael

r-znvy: zvpunry.wryqra jro.qr (chg gur "@" jurer vg svgf...)
ab fcnz cyrnfr