[mdlug] Replacing D-Link router with Smoothwall box

Wed Oct 1 16:21:40 EDT 2008

On Wed, Oct 1, 2008 at 3:39 PM, Michael ORourke <mrorourke at earthlink.net> wrote:
> Lug Nuts,
>
> I have a small network with a Linux (OpenSuSE 11) server installed.  I am
> considering replacing the D-Link router with a Smoothwall box (Linux
> router/firewall).  But after reading up on the Smoothwall docs, I'm not sure
> of the best way to proceed.  The Linux server is running Samba, Apache, and
> soon to be running a mail server.  According to the Smoothwall docs, it
> looks like you would normally put the server in the DMZ (orange network)
> because it provides external facing services (i.e. web).  But that will
> cause problems with the Samba services as it will be on a different subnet
> than the green network (internal clients) and it will require extra ports be
> opened between the green and orange networks.  Some Google searches have
> suggested that you NOT put Samba on the orange network.

It's just a matter of risk management.  If the web server is not
publicly usable (ssh tunneled, client certificates required, etc.)
then it's less of a problem on Green as it's less likely to be
breached.  Orange is primarily for public servers.

I'm not sure about Samba but I wouldn't have smb or other file sharing
publicly accessible.  Normally I would use a VPN for those.  But
having ports forwarded to systems on Green is normal for BitTorrent.

> Here are a couple of possible solutions.  For one, I'm not going to build a
> second server with just Apache and Postfix on the orange network (DMZ), that
> just seems like a waste of resources.  But I could go with a red-green
> configuration and port forward web & email traffic to the green network
> (internal), just like the D-Link does now.  Or maybe setup a second nic
> (eth1) in the server on the green network (internal) and bind samba to that
> interface and still have eth0 on the orange network (DMZ) protected by the
> smoothwall box.  Any other suggestions out there?

How about virtualization?  Binding Samba to a different NIC on the
same system isn't going to provide any benefits from Orange DMZ if the
Samba server is breached.  Root is root.  Running Samba in a VM on the
server would keep security problems contained.

I can't help you much with Smoothwall as I'm using IPCop.  I've got
six NICs for Red, Green, Orange (unused), Blue (public wireless),
Gray1 (family), Gray2 (sandbox for repairing anything with Windows on
it).  I haven't set up a public server yet but I'm planning on a web
or game server at some point.  I may also set up a RADIUS server with
ToS agreement web page for the public wireless eventually.  I can ssh
in using keys and use WoL to start systems remotely.  I haven't messed
with TCP/IP tunneling yet but that's next on my list.

The most complicated thing I've done so far is set up a VPN connection
to a company I do work for.  I can browse files on their Windows
server and I'm currently using Adobe Illustrator via RDC to a Vista
workstation.  It wasn't fast when the system was using XP and Vista
reduced it by half (company mandated upgrade - not a problem as I bill
by the hour).