This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: Linux (x server) stability From: Mark Cohen <markc@binaryfaith.com> Date: Mon, 10 Jan 2000 17:04:09 -0800 (PST) When you plug multiple connections into the bridge you are in effect opening all of those computers up to the outside world.. Im assuming that you have multiple IPs that flashcom gives you. Not all ISPs freely give away IP addresses. Putting a linux box between your bridge and network gives you a firewall/ip forwarding masquerading solution. This gives you 2 advantages, 1 you can use multiple network configurations to get lots of machines behind that link. (192.168.x.x, 172.x.x.x, etc.) The other advantage is you have protection to your other computers on the network. Its fairly simple to set up. You just need 2 NICs in your linux box. One connected to the DSL bridge and the other to a switch/hub. Then you create an ipchains or ipfwadm ruleset and you're set. (for the 2.1 kernel and before you have to use ipfwadm) For 2.2 and later you have to use ipchains. There are even some keen tricks with ipfwadm, you can run kernel modules that allow specific services (ftp etc.) On my home network, I have 3 external IPs, all going to the DSL bridge, on the bridge itself I have a 5 port 10baseT workgroup hub. 2 sparcs are connected to the hub as well as my linux box. I also have a 100baseT/10baseT auto-negotiating switch. All of the machines are connected to the switch. (the sparcs and linux box have 2 nics in them each) I also have 2 windoze boxes plugged into the switch which are behind the linux box which is doing the ip-forwarding. This way I prortect the windoze boxes and get "free" ip addresses for them. Hope this sheds some light.... -Mark On Mon, 10 Jan 2000, Joe Brenner wrote: "Gerald V. Fontenay" <gvf@abada.org> wrote: > >Joe Brenner said: > > > If I understand your question, you don't need to route your > > DSL connection *through* linux. You get a DSL line from a > > provider (I'm using Flashcom, though that's not a > > recommendation: I suspect that they all suck in one way or > > another). This phone line comes in, and goes to a bridge > > router (in my case, a Flowpoint 2200). I've got several > > ethernet connections on my bridge router, so I could plug > > four computers into it directly. If I wanted more than > > that, I'd plug a 10BaseT box into this (I've got an old > > Wisecom here that'll let you split one line into seven, much > > like a powerstrip adds power connections). You do need to > > have ethernet adapters in all of the machines you want to > > connect... if you're using a PC, you've probably got to > > install a card (which will most likely use the "tulip" > > drivers in linux). Some machines (e.g. the new Macs) > > come with ethernet jacks built-in. > > Since it _seems that your bridge-router-thingie masquerades, is it > set up so that one of your machines is actually on your isp's net > with your single ip address ? ( i assumed from the question that we > were talking about a single ip xdsl service ) > > 'cause this might be important, if you want to run, oh, say, mail, dns, > www, etc.. > > Sounds convenient if that's the case. Right, I haven't played with this much as of yet, but as I understand it it's configured so that there's one IP that the outside world sees, and one IP that's internally assigned to use as a server. The Flowpoint bridge/router can do DHCP, and it's currently set to assign IPs dynamically to around 18 clients, with the rest of the 223 (I think) addresses reserved for static use. And yeah, I suppose it is convienient, but it was also a pain to get it all working. Their tech support was comatose for over a month, and they provided no docs on how they expected it to be set-up... they did however provide some humoungous manuals (in PDF form!) that I spent a lot of time skimming through without learning much useful. === Subject: Re: Linux (x server) stability From: David Mandala <dmandala@linuxcare.com> Date: Wed, 12 Jan 2000 10:11:47 -0800 Yep, assign all of the domain names to a single IP and with newer browsers they send the name of the domain they wanted. Old browsers confuse the server and require special handling. Quoting Joe Brenner (doom@kzsu.stanford.edu): [snip] > > internal IPs. (Incidentally: they tell me that there there > are ways you can run multiple websites with just one IP. I > guess that this is done by having multiple domain names > assigned to the same IP, and then somehow Apache then needs > to check what domain the request was really looking for? > Yet another subject I need to RTFM...). > Having a firewall helps control the amount of probing and sniffing people can do to your machines. Also with a good firewall you can see attempted attacks and warn about them. Finally the most important issue: LESS is MORE. If you have languages installed on a computer (C, Perl, Python, etc.) you can not have a secure machine, because the tools are avalible to use to develop and install packages not installed. A firewall should have installed on it only enough software for the machine to boot and do its job packet filtering and IP masquerading, etc. There should be no languages installed, and only limited shells. Yep disgruntled employees are a big problem and well secured machines behind the firewall are important but it does not negate the need to secure the front door. Too many companys leave all of the internal doors open thinking that they are safe because of a firewall. That is simply poor thinking. I have visited company's that don't even have root passwords on their internal boxes because they have a firewall, it's stupid, idiotic, and they deserve what happens to them. [snip] > But if everyone's getting bored with arguing about scripting > languages, here's another one: aren't firewalls over-rated? > If you've got a small number of machines administered by one > person who's being conscientious about promptly installing > security updates, how much extra security is a firewall > really going to gain you? I can imagine some cases where a > firewall would be required (e.g. if you need to run > something on your local network with poor security, like say > NFS, or perhaps worse a Microsoft product...), but I don't > see why they should be required in general. > > Notably, Garfinkel & Spafford are somewhat lukewarm on > firewalls, though I think their point is that they provide a > false sense of security to large companies, which could > easily have a bigger problem with disgruntled employees than > with crackers of of the internet. > ===