[mdlug] Replacing D-Link router with Smoothwall box

Tony Bemus tony at bemushosting.com
Wed Oct 1 16:48:34 EDT 2008 

I am also using IPcop but it is a simpler setup,  just 2 nics,  one red
and one green.  I use port forwarding for apache and ssh and I don't
have any problems accessing my systems,  I also use IPcop as a VPN
server, so I can have full access to my network from a remote location.

So Im just saying that I think port forwarding will work for what you
need.

Tony

On Wed, 2008-10-01 at 16:21 -0400, Jeff Hanson wrote:
> On Wed, Oct 1, 2008 at 3:39 PM, Michael ORourke <mrorourke at earthlink.net> wrote:
> > Lug Nuts,
> >
> > I have a small network with a Linux (OpenSuSE 11) server installed.  I am
> > considering replacing the D-Link router with a Smoothwall box (Linux
> > router/firewall).  But after reading up on the Smoothwall docs, I'm not sure
> > of the best way to proceed.  The Linux server is running Samba, Apache, and
> > soon to be running a mail server.  According to the Smoothwall docs, it
> > looks like you would normally put the server in the DMZ (orange network)
> > because it provides external facing services (i.e. web).  But that will
> > cause problems with the Samba services as it will be on a different subnet
> > than the green network (internal clients) and it will require extra ports be
> > opened between the green and orange networks.  Some Google searches have
> > suggested that you NOT put Samba on the orange network.
> 
> It's just a matter of risk management.  If the web server is not
> publicly usable (ssh tunneled, client certificates required, etc.)
> then it's less of a problem on Green as it's less likely to be
> breached.  Orange is primarily for public servers.
> 
> I'm not sure about Samba but I wouldn't have smb or other file sharing
> publicly accessible.  Normally I would use a VPN for those.  But
> having ports forwarded to systems on Green is normal for BitTorrent.
> 
> > Here are a couple of possible solutions.  For one, I'm not going to build a
> > second server with just Apache and Postfix on the orange network (DMZ), that
> > just seems like a waste of resources.  But I could go with a red-green
> > configuration and port forward web & email traffic to the green network
> > (internal), just like the D-Link does now.  Or maybe setup a second nic
> > (eth1) in the server on the green network (internal) and bind samba to that
> > interface and still have eth0 on the orange network (DMZ) protected by the
> > smoothwall box.  Any other suggestions out there?
> 
> How about virtualization?  Binding Samba to a different NIC on the
> same system isn't going to provide any benefits from Orange DMZ if the
> Samba server is breached.  Root is root.  Running Samba in a VM on the
> server would keep security problems contained.
> 
> I can't help you much with Smoothwall as I'm using IPCop.  I've got
> six NICs for Red, Green, Orange (unused), Blue (public wireless),
> Gray1 (family), Gray2 (sandbox for repairing anything with Windows on
> it).  I haven't set up a public server yet but I'm planning on a web
> or game server at some point.  I may also set up a RADIUS server with
> ToS agreement web page for the public wireless eventually.  I can ssh
> in using keys and use WoL to start systems remotely.  I haven't messed
> with TCP/IP tunneling yet but that's next on my list.
> 
> The most complicated thing I've done so far is set up a VPN connection
> to a company I do work for.  I can browse files on their Windows
> server and I'm currently using Adobe Illustrator via RDC to a Vista
> workstation.  It wasn't fast when the system was using XP and Vista
> reduced it by half (company mandated upgrade - not a problem as I bill
> by the hour).
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug

More information about the mdlug mailing list