Network Redesign and Software

Kristijan · 08-23-2006, 04:51 PM

Hi All,

In the process of redesigning my network, want to change it up a bit and make it more secure.

I have the following boxes on my network:

Bart: My desktop machine
Lisa: My sisters machine
Xbox: Xbox
Krusty: LAMP (Linux, Apache, MySQL, PHP) running a few websites
Homer: Fileserver running Linux with Samba

This is how it's all connected...

Code:

Current Network 
--------------- 
 
 
          (Internet) 
              | 
              | 
         (ADSL Modem) 
              | 
              | 
           (Switch) 
              | 
              | 
    --------------------------- 
   |      |      |       |     | 
 (Bart)(Homer)(Krusty)(Lisa)(Xbox)

Below is my proposed network...

Code:

Proposed Network 
---------------- 
 
 
          (Internet) 
              | 
              | 
         (ADSL Modem) 
              | 
              | 
           (Krusty) 
              | 
              | 
           (Switch) 
              | 
              | 
    -------------------- 
   |      |      |     | 
 (Bart)(Homer)(Lisa)(Xbox)

Krusty, being a lower spec machine will turn into a firewall. Either running Smoothwall, or NetBSD with a pf ruleset.

Any comments on this?

Home will still be my fileserver, but at the same time also run my websites. I'm abit worried about doing this, but I am limited to the number of machines I have. I was thinking running NetBSD on it, and having Apache, MySQL and PHP run inside it's own jail, and leave my fileserver to the rest of the machine.

The reason I'm using NetBSD for most of my machines is because I'd like to learn it. I've been a Slackware user for quite some time now, and would have no problem with setting all this up. Just thought it would be a good way to learn something new. Any other recommendations? Would Open or FreeBSD be better suited for this type of thing?

Any comments on the above design/layout and software are greatly appreciated.

Cheers,
-Kristijan

Matir · 08-23-2006, 04:54 PM

Some people may consider it insecure, but I actually host websites off the firewall server. Since the code is all mine and I keep it updated, I consider it fairly secure.

Brian1 · 08-23-2006, 05:13 PM

Unless going to a DMZ setup, I would also host the webserver on the krusty machine. Then use homer as your fileserver. So the only open port to the outside would be 80 for the webserver. Then no ports are forwarded to the lan side. If you forward into the lan then I would run firewall on all machines and open the needed ports to them.

Brian1

Kristijan · 08-23-2006, 05:19 PM

Is it possible to run Smoothwall, but also have a webserver running on the same machine? Last time I played with Smoothwall (going back a few years now) it wasn't possible.

Or am I better off going the BSD option and running a pf ruleset? OpenBSD runs Apache in it's own jail by default correct? Is it possible to put MySQL and PHP into the same jail...or would you leave Apache alone?

-Kristijan

Brian1 · 08-23-2006, 05:39 PM

Haven't used smoothwall but can't see why not. It just requires port 80 open on the external nic if the webserver is runninng on the firewall machine. Might email smoothwall developer and ask the question or check thier help and faq section. Might be a forum over there as well. Might also be able to download the manual or read it online to see what it can do.

Brian1