Which Linux OS best for beginner to setup as Web / Mail server / Internet sharer and firewall?

We are a small business with no IT employees and have about 20 Windows
ME machines. None of that is subject to change. We are installing a
DSL line, and when we do, we want to improve the way our Internet is
handled. I am planning to try to set up a server which the DSL will
connect to, and will run our web site off the server, as well as
automatically get our POP3 emails from our outside accounts, and hold
them until our local computers want to see them. It should also share
the internet connection and run a firewall.

We are only considering no cost versions of Linux for this purpose,
and we were planning on running either Fedora or White box enterprise
Linux.
Is there any other no cost Linux that you would suggest would be
easier for an absolute beginner (no Linux experience at all) to set up
this type of a server on? I know there are specialized mini versions
of Linux that only act as sharers and firewalls, etc., but I believe
that we will need the flexibility of a full linux to support future
expansion as well as the 4 features I mentioned, HTTP Server, POP3,
Firewall, and Internet sharing. Feel free to point out if you believe
there is a better solution. Also, can Linux speak to most DSL modems,
or at the least, can most DSL providers come up with something that
will speak to a Linux system?

Dave Arbok wrote:
> We are a small business with no IT employees and have about 20 Windows
> ME machines. None of that is subject to change. We are installing a
> DSL line, and when we do, we want to improve the way our Internet is
> handled. I am planning to try to set up a server which the DSL will
> connect to, and will run our web site off the server, as well as
> automatically get our POP3 emails from our outside accounts, and hold
> them until our local computers want to see them. It should also share
> the internet connection and run a firewall.
>
I don't want to start a flame war, but in my experience OpenBSD is best
for a PPP gateway/NAT type application. It's easy to set up, rock
solid, and the documentation is excellent. Port forward to internal
boxes if you must run linux for applications. Do keep in mind that
you're going to want a static IP for your DSL connection.

> We are only considering no cost versions of Linux for this purpose,
> and we were planning on running either Fedora or White box enterprise
> Linux.

How did you come to this decision? To me, those are versions of Linux
for windows users...they don't feel as powerful as, say, Debian.

> Is there any other no cost Linux that you would suggest would be
> easier for an absolute beginner (no Linux experience at all) to set up
> this type of a server on? I know there are specialized mini versions
> of Linux that only act as sharers and firewalls, etc., but I believe
> that we will need the flexibility of a full linux to support future
> expansion as well as the 4 features I mentioned, HTTP Server, POP3,
> Firewall, and Internet sharing. Feel free to point out if you believe
> there is a better solution. Also, can Linux speak to most DSL modems,
> or at the least, can most DSL providers come up with something that
> will speak to a Linux system?

I'd say if you're going to bother with Linux, learn how to use it. Take
advantage of the power rather than pointing and clicking your way
through stuff. Personally I like Debian, particularly for a small
server of the variety that you would use to host web/mail over a DSL
line. You can use KNOPPIX to install it if you don't want to deal with
the Debian installer, although the Sarge installer is supposed to be
pretty nice.
I suppose you did say you had no IT employees...but even in a
business of 20, someone had better be familiar with basic sysadmin tasks
so you don't wind up paying somebody to do it at $160/hr. I know I run
into this problem at my Dad's office...it's not that hard to learn. I'd
like to know how you survived 20 ME machines with no technical staff.

--
Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
http://umgawa.bands.uiuc.edu/~fsiler/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Dave Arbok <(E-Mail Removed)> suggested:
> We are a small business with no IT employees and have about 20 Windows
> ME machines. None of that is subject to change. We are installing a
> DSL line, and when we do, we want to improve the way our Internet is
> handled. I am planning to try to set up a server which the DSL will
> connect to, and will run our web site off the server, as well as
> automatically get our POP3 emails from our outside accounts, and hold
> them until our local computers want to see them. It should also share
> the internet connection and run a firewall.

You should run a proxy server like squid, to speedup internet
access and more.

> We are only considering no cost versions of Linux for this purpose,
> and we were planning on running either Fedora or White box enterprise
> Linux.

I'd use the whitebox RH clone, alone the longer live time should
be worth it.

> Is there any other no cost Linux that you would suggest would be
> easier for an absolute beginner (no Linux experience at all) to set up
[..]

> there is a better solution. Also, can Linux speak to most DSL modems,
> or at the least, can most DSL providers come up with something that
> will speak to a Linux system?


If those have a standard ethernet 10 Mbit (RJ45 or alike)
connection, chances are pretty high. From your post, unless you
are willing to learn lots of knowledge in a short time, I'd
suggest hiring someone experienced for a day or two who can do an
initial secure setup and install webmin for you.

I'd strongly suggest running at least software RAID on the box
and make a plan for regular backups of the machine.

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBFWTOAkPEju3Se5QRAiEAAJsE9SOsO2mgbvSrGy/rYAVaaALAdwCgjmSU
+KyuDu+SIc//d28eDBrK0zo=
=CGld
-----END PGP SIGNATURE-----

"Franklin M. Siler" <(E-Mail Removed)> wrote in message news:<cf3dbf$sjf$(E-Mail Removed)>...
> Dave Arbok wrote:
> > We are a small business with no IT employees and have about 20 Windows
> > ME machines. None of that is subject to change. We are installing a
> > DSL line, and when we do, we want to improve the way our Internet is
> > handled. I am planning to try to set up a server which the DSL will
> > connect to, and will run our web site off the server, as well as
> > automatically get our POP3 emails from our outside accounts, and hold
> > them until our local computers want to see them. It should also share
> > the internet connection and run a firewall.
> >
> I don't want to start a flame war, but in my experience OpenBSD is best
> for a PPP gateway/NAT type application. It's easy to set up, rock
> solid, and the documentation is excellent. Port forward to internal
> boxes if you must run linux for applications. Do keep in mind that
> you're going to want a static IP for your DSL connection.

I'm not sure exactly what you mean by "internal boxes," does that mean
virtual machines running linux, or actual physical machines running
linux inside the firewall? Either way, I think Occam's razor and all
would say that learning two OS's, linux and openbsd would have to be
more complicated than learning one. I think there are more tutorials
and applications for Linux, and I know I don't want to learn both, so
I think OpenBSD would make things more complicated.
>
> > We are only considering no cost versions of Linux for this purpose,
> > and we were planning on running either Fedora or White box enterprise
> > Linux.
>
> How did you come to this decision? To me, those are versions of Linux
> for windows users...they don't feel as powerful as, say, Debian.
I am a Windows user. I'm not looking for power, as much as looking to
get the job done easily and stably. We leaned towards those because
people say they are easy to learn, have good support for security
patches and there are likely to be RPM packages for the firewall and
the other 3 apps I mentioned, web server, internet sharing, pop3
server. I would be open to considering Mandrake or other distros, as
I said in my title, I was asking which distro I should consider.
>
> > Is there any other no cost Linux that you would suggest would be
> > easier for an absolute beginner (no Linux experience at all) to set up
> > this type of a server on? ... the 4 features I mentioned, HTTP Server, POP3,
> > Firewall, and Internet sharing. Feel free to point out if you believe
> > there is a better solution.
>
> I'd say if you're going to bother with Linux, learn how to use it. Take
> advantage of the power rather than pointing and clicking your way
> through stuff. Personally I like Debian, particularly for a small
> server of the variety that you would use to host web/mail over a DSL
> line. You can use KNOPPIX to install it if you don't want to deal with
> the Debian installer, although the Sarge installer is supposed to be
> pretty nice.
I really would rather point and click through stuff, I think. This
will basically all be done after hours in my free time, and I'd rather
go out and play than put a lot of effort into it. If you believe that
Debian will be easier than Fedora or Whitebox, then I'd love to be
persuaded. Otherwise, it is not a good solution for me. I've heard
Debian is harder. I asked for "easiest for an absolute beginner to
set up these 4 services." Oh, actually add Antivirus scanning of
email attachments for windows viruses as a fifth service. (I hear
ClamAV is good).

> I suppose you did say you had no IT employees...but even in a
> business of 20, someone had better be familiar with basic sysadmin tasks
> so you don't wind up paying somebody to do it at $160/hr. I know I run
> into this problem at my Dad's office...it's not that hard to learn. I'd
> like to know how you survived 20 ME machines with no technical staff.

Well, only 10-12 are actually used for general purpose stuff by end
users I guess, the others are to run specific machines.
Basically, you run around once in a while and make sure the security
updates and antivirus updates have been getting through. If someone
says they don't know how to do something, you tell them to ask another
user who knows the program better. When we changed email servers it
was a pain, I had to go to everyone's machine and get their old mail
painfully off of the webmail and into a local email program, and many
users had a hard time adjusting to the switch.

Anyway, I still want to know if any no cost Distro will be easier than
Fedora or White box enterprise linux for my 5 tasks: web server,
internet sharing, mail server, antivirus scanning of the mail, and
firewall.

Also, I've heard some people say they like to use a tiny standalone
machine as the firewall, using smoothwall or similar, and run their
web and mail server on a more powerful machine inside the firewall. I
see how that might be more secure, because the machine that is
connected physically to the outside world, has no valuable data on it
if compromised, but is it worth the trouble? Isn't Linux very secure
anyway, so there is very little risk using only one machine for my 5
tasks? If it is worth the trouble, it won't add much expense to the
project, so I'd gladly consider it. Just convince me.

Dave Arbok wrote:

> "Franklin M. Siler" <(E-Mail Removed)> wrote in message news:<cf3dbf$sjf$(E-Mail Removed)>...
>
>>Dave Arbok wrote:
[snip]
>>I don't want to start a flame war, but in my experience OpenBSD is best
>>for a PPP gateway/NAT type application. It's easy to set up, rock
>>solid, and the documentation is excellent. Port forward to internal
>>boxes if you must run linux for applications. Do keep in mind that
>>you're going to want a static IP for your DSL connection.
>
>
> I'm not sure exactly what you mean by "internal boxes," does that mean
> virtual machines running linux, or actual physical machines running
> linux inside the firewall? Either way, I think Occam's razor and all
> would say that learning two OS's, linux and openbsd would have to be
> more complicated than learning one. I think there are more tutorials
> and applications for Linux, and I know I don't want to learn both, so
> I think OpenBSD would make things more complicated.
>
I meant physical machines, either inside your network or in a DMZ.
Obviously you can't run OBSD and Linux on the same physical machine
without some voodoo.

>>>We are only considering no cost versions of Linux for this purpose,
>>>and we were planning on running either Fedora or White box enterprise
>>>Linux.
>>
>>How did you come to this decision? To me, those are versions of Linux
>>for windows users...they don't feel as powerful as, say, Debian.
>
> I am a Windows user. I'm not looking for power, as much as looking to
> get the job done easily and stably. We leaned towards those because
> people say they are easy to learn, have good support for security
> patches and there are likely to be RPM packages for the firewall and
> the other 3 apps I mentioned, web server, internet sharing, pop3
> server. I would be open to considering Mandrake or other distros, as
> I said in my title, I was asking which distro I should consider.
>
Have you ever used any other OSes? Pardon the expression, but you're
going to have to undergo a brain fuck regardless of which distribution
you choose to run. I'd say you're better off learning how to do stuff
the way experienced users do it...you'll have more questions but you'll
also pick up a lot more, and believe it or not those sorts of diagnostic
skills are helpful for windows applications too.
It's also one of those "least services" issues...why on earth do you
want X and a whole bunch of other stuff installed on your firewall or
web server? It's not good operating practice.

[snip]
>>I'd say if you're going to bother with Linux, learn how to use it. Take
>>advantage of the power rather than pointing and clicking your way
>>through stuff. Personally I like Debian, particularly for a small
>>server of the variety that you would use to host web/mail over a DSL
>>line. You can use KNOPPIX to install it if you don't want to deal with
>>the Debian installer, although the Sarge installer is supposed to be
>>pretty nice.
>
> I really would rather point and click through stuff, I think. This
> will basically all be done after hours in my free time, and I'd rather
> go out and play than put a lot of effort into it. If you believe that
> Debian will be easier than Fedora or Whitebox, then I'd love to be
> persuaded. Otherwise, it is not a good solution for me. I've heard
> Debian is harder. I asked for "easiest for an absolute beginner to
> set up these 4 services." Oh, actually add Antivirus scanning of
> email attachments for windows viruses as a fifth service. (I hear
> ClamAV is good).
>
I sympathize with your desire to have things work in a manner similar to
what you're used to, but I have not seen satisfactory GUI tools for a
lot of what you're talking about. For example, to me editing an Apache
config file is much faster than messing with webmin or another app that
runs in a GUI. Similarly, firewalls are almost always set up via
command line, whether it's on a headless OpenBSD machine or a Cisco router.
As far as the "absolute easiest" way to do things...this attitude
causes all kinds of problems. For example, the "easiest way" to do
stuff on windows is to log in as an Administrator, not patch, use IE,
use outlook, and two hours later your machine is a zombie. It sounds
like you want to 1) secure your network and 2) not do any work, and
those two things are mutually exclusive. If you don't want to do it
right, for the benefit of the rest of us pay someone to do it right.
On a side note, I don't want to preach a lot about business
practices, but why on earth would you do this on your own time unless
you own the place? If your employer is getting value out of your work,
you should be getting paid for it. If you think you're getting
education out of the experience, I'm inclined to agree but if this is
the case you should do stuff "the hacker way" and I still think you
should be getting paid for it.
>
>> I suppose you did say you had no IT employees...but even in a
>>business of 20, someone had better be familiar with basic sysadmin tasks
>>so you don't wind up paying somebody to do it at $160/hr. I know I run
>>into this problem at my Dad's office...it's not that hard to learn. I'd
>>like to know how you survived 20 ME machines with no technical staff.
>
>
> Well, only 10-12 are actually used for general purpose stuff by end
> users I guess, the others are to run specific machines.
> Basically, you run around once in a while and make sure the security
> updates and antivirus updates have been getting through. If someone
> says they don't know how to do something, you tell them to ask another
> user who knows the program better. When we changed email servers it
> was a pain, I had to go to everyone's machine and get their old mail
> painfully off of the webmail and into a local email program, and many
> users had a hard time adjusting to the switch.
>
Well, I don't think this will cause a huge amount of work..all you need
to do is stick your new firewall at the same IP as the old one. You can
use transparent proxies if you want and no one will even notice, except
that it'll be faster.

> Anyway, I still want to know if any no cost Distro will be easier than
> Fedora or White box enterprise linux for my 5 tasks: web server,
> internet sharing, mail server, antivirus scanning of the mail, and
> firewall.

Again, they're all going to be /some/ work, and I still vote that it's
worth your while to use Debian, Slackware, or other distros which are
commonly used for the purposes you have outlined.
>
> Also, I've heard some people say they like to use a tiny standalone
> machine as the firewall, using smoothwall or similar, and run their
> web and mail server on a more powerful machine inside the firewall. I
> see how that might be more secure, because the machine that is
> connected physically to the outside world, has no valuable data on it
> if compromised, but is it worth the trouble? Isn't Linux very secure
> anyway, so there is very little risk using only one machine for my 5
> tasks? If it is worth the trouble, it won't add much expense to the
> project, so I'd gladly consider it. Just convince me.

Yes, that is standard practice and the strategy I would recommend, but I
would use OpenBSD instead of Linux on it. As I've probably already
mentioned, the OpenBSD documentation is excellent and it took me under a
day to fully configure a box with PPP, NAT, and a good firewall ruleset.
Of course, now that I now how, I can set one up in about an hour, so
once you do it you can easily put one in at home or consult to do it for
money.

--
Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
http://umgawa.bands.uiuc.edu/~fsiler/

On Sat, 07 Aug 2004 15:16:47 -0500, Franklin M. Siler wrote:

Personally I like Debian, particularly for a small
> server of the variety that you would use to host web/mail over a DSL
> line. You can use KNOPPIX to install it if you don't want to deal with
> the Debian installer, although the Sarge installer is supposed to be
> pretty nice.

I tried to install Debian a couple of times, the installer completely
baffeled me. I an stalled Libranet which is a Debian base distro with an
install that dummies like me could use. It has the stability of Debain
uses its' .deb packages, The best of 2 worlds

Paul

"Dave Arbok" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> We are a small business with no IT employees and have about 20 Windows
> ME machines. None of that is subject to change. We are installing a
> DSL line, and when we do, we want to improve the way our Internet is
> handled. I am planning to try to set up a server which the DSL will
> connect to, and will run our web site off the server, as well as
> automatically get our POP3 emails from our outside accounts, and hold
> them until our local computers want to see them. It should also share
> the internet connection and run a firewall.

maybe it's a good idea to split the 'server' from the nat/firewalling
functionality. Check out http://www.freesco.info and
http://www.smoothwall.org

>
> We are only considering no cost versions of Linux for this purpose,
> and we were planning on running either Fedora or White box enterprise
> Linux.
> Is there any other no cost Linux that you would suggest would be
> easier for an absolute beginner (no Linux experience at all) to set up
> this type of a server on? I know there are specialized mini versions
> of Linux that only act as sharers and firewalls, etc., but I believe
> that we will need the flexibility of a full linux to support future
> expansion as well as the 4 features I mentioned, HTTP Server, POP3,
> Firewall, and Internet sharing. Feel free to point out if you believe
> there is a better solution. Also, can Linux speak to most DSL modems,
> or at the least, can most DSL providers come up with something that
> will speak to a Linux system?

Whitebox should be pretty good. It's advisable that somebody quite
knowledgeable about the subject matter could help you set up a good robust
configuration. What you are asking is not extremely straight forward if
there is no unix knowledge within the organisation.

1. fetchmail for the pop accounts
2. most likely sendmail to relay for internal IPs
3. web server
4. possibly reverse proxy for web accelleration

Brendon
++++

"Dave Arbok" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> "Franklin M. Siler" <(E-Mail Removed)> wrote in message
news:<cf3dbf$sjf$(E-Mail Removed)>...
> > Dave Arbok wrote:
>
> Also, I've heard some people say they like to use a tiny standalone
> machine as the firewall, using smoothwall or similar, and run their
> web and mail server on a more powerful machine inside the firewall. I
> see how that might be more secure, because the machine that is
> connected physically to the outside world, has no valuable data on it
> if compromised, but is it worth the trouble? Isn't Linux very secure
> anyway, so there is very little risk using only one machine for my 5
> tasks? If it is worth the trouble, it won't add much expense to the
> project, so I'd gladly consider it. Just convince me.

There are a lot of advantages in having a seperate firewall/router. In
particular, it adds an extra layer of defense, and it means that your most
vulnerable system (i.e., the bit nearest the internet) is running as little
as possible. If one of your server applications has a security flaw that
exposes a tcp/ip port by mistake (or is induced to do so by a cracker), no
harm is done if all traffic to that port is blocked by the extra firewall.
I would strongly recommend getting a simple firewall/NAT router box and
connecting it between your DSL modem and your linux box. These things cost
peanuts (assuming you don't want VPN, or other such stuff), are easily
configured by a web browser, and have all ports closed off by default.
Having to actively open holes in the firewall is far safer than having to
close off holes, especially for the less experianced user.

"Brendon Caligari" <(E-Mail Removed)> wrote in message news:<41168e25$0$58816$(E-Mail Removed)> ...
> "Dave Arbok" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > We are a small business with no IT employees and have about 20 Windows
> > ME machines. None of that is subject to change. We are installing a
> > DSL line, and when we do, we want to improve the way our Internet is
> > handled. I am planning to try to set up a Linux server ...
>
> maybe it's a good idea to split the 'server' from the nat/firewalling
> functionality. Check out http://www.freesco.info and
> http://www.smoothwall.org
>
> >
> > We are only considering no cost versions of Linux for this purpose,
> > and we were planning on running either Fedora or White box enterprise
> > Linux.
> > Is there any other no cost Linux ... easier for an absolute beginner
> > (no Linux experience at all) to set up this type of a server on?
>
> Whitebox should be pretty good. It's advisable that somebody quite
> knowledgeable about the subject matter could help you set up a good robust
> configuration. What you are asking is not extremely straight forward if
> there is no unix knowledge within the organisation.
>
> 1. fetchmail for the pop accounts
> 2. most likely sendmail to relay for internal IPs
> 3. web server
> 4. possibly reverse proxy for web accelleration
>

I appreciate everyone's input. I know people think that this is too
big a project for a lazy ignorant Windows user to undertake, but
unfortunately, no budget means we have to make do. I hate living with
dialup, and I can't in good conscience tell them to hook us up to DSL
without any firewall. In any case, I think that the ideas I've heard
have been very helpful. I'll summarize how things have and have not
changed, and what's up now.

1. I still like my free time, and want the easiest solution that is
relatively secure. ANY solution will be an improvement.

2. It has been implied, and I believe it, that because I know nothing
about what I am doing means it is quite likely I will make mistakes
which would lead to security holes. If I was an expert, I bet I could
make an all-in-one-box Linux server, doing my 5 tasks that was
acceptably secure. But, because I am not, I think I will follow the
advice of using two separate boxes, one wimpy box running smoothwall
or a similar firewall, (maybe openbsd- I'll read about it), and the
server I had been planning to do the whole thing, I'll use that for
the other stuff. That should provide an extra layer of security to
protect from mistakes I make.

3. People seem to agree that the long life cycle of White Box and
long span of support for security updates will help with my goal of
not having to mess around with this server a lot in the future. I
also thought of something, this may sound silly but it is a serious
question. When a Linux distribution has security patches, they would
by definition be for things that were part of that distribution...
i.e., if it came with a certain mail server, it would patch it. If I
had to add a separate mail server that didn't come with it, then I
wouldn't get those patches the same way, right? Should I try to find
a distribution that includes all the programs that I think I need, so
I know all the patches will come? Or do most distributions all have a
mail server, antivirus, etc., and this is not a selling point
difference between them?

4. I will NOT be running the Web Server for our home page right now.
Our current web host isn't real expensive, it seemed like a nice
freebie to be able to do it, because we'll have DSL and a Linux
machine, but we will try just the other stuff for a while first, and
if it all seems good then we'll think about taking over the web
server. For now, best to make it simple. The cost savings over
dialup is enough to justify the project, I don't need to be able to
replace our web host to make the project a go.

So, that leaves 4 tasks:
A. Internet sharing&proxy caching / B. Firewall
C. Get mail, store and serve to the win machines / D. AV scan the
mail

5. I've heard that scanning with ClamAV can be processor and memory
intensive. It seems that the mail storing and AV scanning would
definitely go on the powerful server inside the firewall.

6. Here's another big question I have. Task A, all this internet
caching, that seems like that might require computer power too.
Should that go on the internal machine too? Or does that normally go
on the firewall box?

Thanks for the insight, and I agree with everyone that in a perfect
world I would either have a budget to hire experts, or be ambitious
enough to want to learn a lot about all of this, but, this isn't a
perfect world.

Dave Arbok wrote:
[snip]
> 6. Here's another big question I have. Task A, all this internet
> caching, that seems like that might require computer power too.
> Should that go on the internal machine too? Or does that normally go
> on the firewall box?
>
Glad to hear things are coming along. One thing I forgot to mention
about your firewall: you seem to have a relatively small number of
clients, so you might consider looking into a small router that will do
the firewalling stuff for you.
Proxies can be included on the firewall or placed on another
machine. I've personally never set up squid or any other HTTP proxy,
but I've done several internal/caching DNS server installs and they seem
to help things feel faster. I really don't know how much benefit your
~20 clients might see from using a proxy like Squid; it depends a lot on
what kinds of traffic you do (obviously if you're accessing mostly
dynamic content it wouldn't help much).

--
Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
http://umgawa.bands.uiuc.edu/~fsiler/