Hi folks...

I'm experimenting at the moment with setting up my Internal LAN of a few PC's running WinXP. Last month I tried Mandrake MNF8.2 and was quite impressed with the web admin feature but did find it lacked some configuration features like setting up DNS servers and mail servers... I realize that you shouldn't really run too many services on a firewall but I'm not ready to commit $$$ yet on another dedicated server... but open to comments of course.

I don't know if I'm allowed to ask too many things in one thread or if all this is relevant in this forum, but anyway...

Now, I've applied for two domains and they're currently parked on a registrar. I've also just established an ADSL connection to my place and currently using a NAT capable modem/router which the ISP recommended to connect to my 10/100 switch with crossover cable supplied with modem. Surfing from the win PC is ok but I'm planning to switch away from this OS - it keeps crashing even after reformatting..etc ..etc.

Now, according to the ISP, I am not allowed to connect the modem in Bridge mode but I just tried connecting it to my test Linux box and via the modems web admin interface I was able to see that my public IP was detected although I couldn't even ping anything from the Linux box - firewall I guess. The modem has PPPoE s/w built in - using LLC and connects via crossover to eth1 which was 192.168.0.2 and the modem 192.168.0.1 (factory default is 192.168.1.1) - all my pc's have static IP's connected to the switch in 192.168.1.0/24 and the Linux box has eth0 192.168.1.1 - I've created aliases with virtual hosts on eth0 for dns1,dns2,mail,ldap but this is only my fooling around.

Do you think it's ok (security wise) to use the modem's NAT and just use the ISP default config:

[internet]
+|
+|
[modem]
+|
+|
[switch]
+|.......+\
+|........+\
[1]........+[2] ... etc


Or is it much more secure to disable the modem's NAT and
hook it up to [1] directly which will be the Linux firewall???

Example:

[internet]
+|
+|
[modem]
+|
+|
[1]
++--------[switch]
..................+|....+\
..................+|.....+\
..................[2]......[3] ... etc

OR, should I use the first config and create a NAT to [1] only
so that [1] will forward anything good to [2] [3] etc???

Now, what I also want is: say I have mydomain.net and mydomain.com - both will be hosted separately -
mydomain.net will be hosted by my Internal LAN which has a public static IP and mydomain.com I plan to host it with an external company.

I basically won't need services on [1] except - mail, and dns(?)
I may allow VPN for people I trust... but that's for later on.

I want mydomain.com to handle it's own mail so that I can use
an email like me@mydomain.com - but - I also want this server to
synchronise/(relay?) to me@mydomain.net - now because my ADSL connection may not be permanently on, I want the mail server for mydomain.net to retrieve mail from mydomain.com whenever the ADSL line is up, and if not then mydomain.com should keep the mail until next retrieval. Now, from my internal LAN, I want everyone to have person@mydomain.net and when they send mail to whomever I guess I can try to alias it as person@mydomain.com - or should I set mydomain.net mail server to send to mydomain.com and let this mail server send it out (silly? I don't know)

Now, I've looked at various FAQ's HOWTO's on DNS but need more info on actually configuring it for my scenario.

I only have one Public IP so do I need another one for dns server 2? Can I run the DNS server at the same time on the firewall and mail server? Do I have to point the nameservers for mydomain.net to my public IP? or can I just specify my ISP's dns servers? I'm also confused about public IP's and dns entries in the main registry - I read that it was not allowed to use someone else's IP before, but now this restriction is lifted, what exactly does this mean? can I just invent an IP of my own??? Sounds illogical.

What would you recommend as a Linux firewall: Mandrake MNF8.2 / Redhat 8.0 / Debian Woody 3.0 - I've tried to install Suse 7.0 but I only got one CD so I didn't bother with it - whereas the first two had 3 and Diabian had 7 although I haven't installed it yet - maybe tonight. Now, I did try installing RH8 but it's config utils all depend on X and I didn't want to install X - Is Debian the same? I've reinstalled Mandrake at least ten times in the past couple of weeks.

Which one of the above distributions would you recommend for my future dedicated dns/mail/ldap/Intranet proxy-web server?

I think I've covered everything... again, sorry if this thread is too long.

Any help appreciated.

My suggestion would be to get an old box P233 or thereabouts with 3 nics - install smoothwall (http://www.smoothwall.org/) on it and create a DMZ for your web/mail server (Personally I would use RedHat). Then use the Green Nic to connect to LAN switch.

This is closest to your second idea but with the addition of a DMZ.

You may consider taking a look at ClarkConnect -- I currently have four domains (Web/E-mail) running on a P200 with 256M Ram. Does the job quite well - It's definitely worth looking at. My company has even implemented this at a client site (Small Office of less than 20 people).

Thanks, David and Burke...

I have installed Smoothwall GPL 1.0 and managed to configure ADSL connectivity... although, I had a problem with the modem that my ISP provided - it was originally configure for PPoE Ethernet Gateway (ie. not Bridge mode - my ISP doesn't like Bridge mode connections)...

But I decided to try the bridge mode to connect it directly to Smoothwall - as soon as I did that, my modem DIED... but the ISP was very prompt in replacing it the next day though...

So, I didn't want to chance ruining my modem again so I decided to buy a cheap 10/100 switch which I used to connect ONLY the modem and the RED NIC of Smoothwall, the ORANGE NIC is configured but nothing's attached to it at the moment, and the GREEN NIC is connected to another 10/100 switch which connects the rest of my LAN... all NICs on Smoothwall have different networks... well it works for me anyway.

[internet]
+|
+|
[modem]
+|
+|
[switch]
+|
+|
+|[RED NIC]
+|
[1-smoothwall]++++++[ORANGE NIC]
+|............................................+|
+|..................................[Future DNS/Mail/WWW]
+|
+|
+|[GREEN NIC]
+|
+|
++--------[switch Internal LAN]
..................+|....+\
..................+|.....+\
..................[2]......[3] ... etc

Now, I have a new question:

I intend to get hold of another PC to use as a DNS primary/WWW/MAIL server... But, since I only have a single public IP, and Smoothwall is listening thru modem for this IP for requests to my mail/www/ etc, CAN I use this same IP for my DNS server? as well as WWW/MAIL? Is that allowed in DNS?

I mean, if it is allowed, I'll just forward the DNS request to the private ORANGE network for the multifunction server.

I have to admit I just signed up for a Free DNS service out of curiousity but I'm starting to wonder about how secure these are.. I've read about security holes with BIND and I've also seen "djbdns" (I think it's djbdns.org) which is apparently more secure although it's not open source but freely downloadable (correct me if I'm wrong).

Any comments appreciated.

Thanks

Your setup looks fine - if you are only going to have one server on the Orange nic you can just use a crossover cable.

There should be no problem running a DNS server along with a web/mail server.

I'm not sure why you want a DNS server of your own. If you just want to have yourdomain.com pointing to your server then just sign up for the domain and ask the registrar to point to your IP. You do not need a DNS server for this.

With smoothwall you can have different ports of your ip pointing to different servers if you want.
eg if your DNS server is 192.168.1.10 then forward port 53 to 192.168.1.10. If your web server is 192.168.1.13 then forward port 80 to 192.168.1.13 If your mail server is 192.168.1.15 then forward port 25 to 192.168.1.15 etc.

Hi, thanks again for replying...

I've already got a domain registered and currently using the free dns service provider which points my allocated free dns servers to my single public IP... I do have a facility to manage my own domain at the registrar I joined.

Now, when I joined the free dns people, I was instructed to point the existing "parked" NS of my domain to their free NS which they allocated to me...

In the registrar domain control panel, I pointed the NS for my domain to these free NS... but I could not see anything about specifying IP for NS for my domain... although I did see an advanced setting for setting up a host dns but it was recommended not to set this up unless you knew what you were doing...

When I do follow your advice in your recent post, and not have my own dedicated DNS server, will other mail servers be able to transact with my future mail server?

Do I need to touch any local DNS config files?

Thanks again

You shouldn't need to do anything with DNS - you shouldn't even need the DNS server installed on your machine - except make sure that the domain points to your IP address and that you have all services, mail/web etc, listening for connections to that domain.

EDIT: Remember to forward your firewall ports.

Thanks again...

I did e-mail my registrar requesting my domain to point to my IP but still no response....

I registered with them 'cos they were the cheapest I found and they also didn't require my domain to be hosted by them as well unlike others I've checked... but there is a drawback though... I can only do basic Domain admin and it costs more if I want to edit my zone file directly thru their web interface... it would have probably cost the same thing registering elsewhere - one I remember responded telling me they can create any hosts in my domain all pointed to my IP - no probs... I think this time I should'nt have been a cheapskate... he he he.

EDIT: Just had a thought...

When I get my dedicated multifunction server, can I use the Squid (or whatever there is) to enable content/URL filtering instead of the one on Smoothwall GPL, since I don't see an easy way thru admin to set this up... unlike say Mandrake 8.2 Multinetwork Firewall which came with Squid if I remember and had a web admin to set this up...

Are the default Smoothie rules ok? Just assume everything is blocked and just open up what I need and forward?

A note to Burke... I had a play with Clarkconnect but in order for you to see the DNS settings you had to at least register with them for free or pay for advanced DNS services allowing you to point to a customised domain instead of a generic subdomain thru their domain etc...

It wasn't as easy to get internet working - I still can't connect and I've double checked everything even the firewall rules.... I can't even reset the IP of the Internet NIC / gateway / DNS's to forward to etc... I chose Ethernet connection to Internet 'cos my modem logs in for me and there is already an Ethernet connection from the modem which I set as default gateway when installing... the webmin is ok though.. but I think I'd rather install a normal distibution and read the FAQ's and HOWTO's to set the services I want - unless RedHat provides X-admin (I couldn't check that last time 'cos my P166 48M RAM only had 3 PCI slots and all are occupied by NIC's and I couldn't put in my PCI TNT2 Video card so I had to use a 1986 OAK ISA VGA which Redhat didn't like when it tried to load X on first login...

Anyway, I'm expecting another PC sometime maybe a Duron which I can use my TNT2 on...

Clarkconnect - just a quick look at the webmin interface looked easy to configure mail/postfix/imap/samba/cups etc or does RedHat 8.0 have this also???

Thanks anyway

Redhat & Mandrake both come with Webmin I like mentioning ClarkConnect because I've found it to be quite simple to get up & running (Under an hour on a P200) with most services generally need for a SOHO. The four domains I have, I'm using a FREE DNS service rather than paying anyone or attempting to configure Bind on my own. I like it that way, simple web - interface for managing domains.

Anyway, I'm sure you'll do fine with Redhat or Mandrake as your server.