LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-10-2004, 10:46 PM   #1
sud_crow
Member
 
Registered: Aug 2003
Location: Argentina
Distribution: Arch 0.7
Posts: 41

Rep: Reputation: 15
Replacing a win2k router/firewall with Linux/BSD, which?


Hi all,

********************************* SHORT VERSION:

I want to replace a Windows 2000 Server with an alternative, more secure and free BSD or Linux distribution. Im asking which 'distribution' is more suitable for the task of being:

* A router, to connect all the PCs to the ADSL line

* A firewall, to protect the network

* Sharing some files accross the network

and if i could use the same PC to provide:

* A mailing server (?) I dont know much about them, what i need is to be able to send internal mails between the office's PCs throght the network and fast. (a messager i guess its not suitable as there is the need to attach files, and sending a long instant message and then a file thrrugh it is quite ... )

* heavy file and printer sharing posibilities

--
If you want skip long story and go to the options below

********************************* LONG STORY:


The server is used as a gateway to a ADSL connection for 50+ PCs, ranging from Pentium 133mhz to Athlon 2000+, this means from Windows 95 to 2000 Pro clients.
The PCs are used for office management, and one of the most important points is the mailing , so if this server can give mailing service would be much better too, as i could get ride of the other Win 2k with Exchange Inbox on it, the exchange server box is used for internal mails (to send emails between the offices) and just that, not as a server for outgoing mails.

Im planning on setting up in a test PC, dont know the specs yet, but it could be as low as a Pentium 150Mhz or as high as a Celeron 1.4Ghz, any recomendations on implementing all the things in the same box?

Is there really a need of a powerfull PC to share files accross the network, provide printer access and internal mail serving along with routing and firewall?

Do you think is better to handle the two first points (router and firewall) with a cheap PC as a Pentium 150Mhz and the other two with a more powerfull one and behind the firewall?


Here i name a few options, and you tell me what you think of them or if you have one that i dont name, just post about it.

I really dont know much about BSDs, so i cant tell which of the 3 most popular (OpenBSD, NetBSD, FreeBSD) could be the right one, or if there is a Linux distribution ready for the job, ive been looking in www.distrowatch.com, as i always check this site as its a real nice source of infomation about the different distributions, i have found several, from LiveCDs to not-free server optimized ones. I only list the Free ones, as one of the main point on the change to this (to the company) is to reduce licence costs.

****************************** OPTIONS:

BSDs:
OpenBSD
NetBSD
FreeBSD

Linux:
Linux LiveCD Router ( http://www.wifi.com.ar/cdrouter.html ) LiveCD, plan to try this first.
Devil-Linux ( http://www.devil-linux.org/product/features.php ) LiveCD
BitDefender Linux LiveCD! ( http://www.bitdefender.com/bd/site/products.php?p_id=40 )
RedWall Linux ( http://redwall.sourceforge.net/ ) LiveCD
TinySofa Linux ( http://www.tinysofa.org/ )
ClarkConnect ( http://www.clarkconnect.com/info/index.html )
OpenWall ( http://www.openwall.com/ )
Gibraltar Firewall ( http://www.gibraltar.at/content/product_download )

Or do you think a more classical distribution as SUSE, Mandrake, Slackware, Debian or any other 'known' will do the job without much hassle??

I didnt ordered the distributions in a partticular order, i plan to try them all if i think they worth it, but this would make the transition much slower, thats why im asking your opinion, as i guess i will go with the 'most popular' first and then if i like it, stay with it...

Hope to get some feedback on this, as i really want to carry this on, but i will have to go andtell my boss the hole plan, and have a real nice and convincing one in fact.

Thanks in advance!
 
Old 07-11-2004, 12:01 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
any of the major distros will work for you... i'd recommend slackware, though...

you can find all the info you need to start slacking right here:

http://www.slackware.com/book/

=)


for the firewall/router application on linux, you'd use netfilter/iptables:

http://www.linuxguruz.com/iptables


you might also wanna throw-in a cool web-cache to speed-up web surfing for everyone, while saving bandwidth, and perhaps even do some filtering and stuff:

http://www.squid-cache.org


for the windows server application, you'd use samba:

http://www.samba.org/


as for the mail server, here's some options (there's plenty more, google a bit):

http://www.qmail.org/

http://www.postfix.org/

http://www.sendmail.org/ (not recommended)


if you wanna slap a web-interface on the mail server, try:

http://www.squirrelmail.org/


Last edited by win32sux; 07-11-2004 at 12:10 AM.
 
Old 07-11-2004, 12:03 AM   #3
charon79m
Member
 
Registered: Oct 2003
Distribution: Just about anything... so long as it is Debain based.
Posts: 297

Rep: Reputation: 30
Wow, that's a lot of questions in one post, and I'm not sure if this really falls into this category.

I'll do my best to answer most of them.

First off, any time you're sharing files accross the netowork, and those files are important, you want the most reliable box you can posibly have. When you put other tasks ontop of that, such as email, it even further pushes the need for a good box. As to the processing power you will need, I've set up an email/database/web/samba server on a PII 233 recently. It served about 4 users without a hitch; however, in your post you say 50+ PCs. That number sounds high for a low end box, but remember, it realy all depends on how much your users are hitting it.

Given your requirements for this box, I'd build it from a nice distro instead of trying to use one of the canned solutions. They're great for the niche for which they were designed, but I've experienced sever growing pains with trying to modivy some of the canned solutions.

As to the distro to use, I'm a Debian fan when it comes to my servers. It's just incredibly streamlined durring the installation; you only get what you want. That being said though, you're probably going to want to go with something like Redhat/Fedora for ease of use.

As for email, almost all (probably even all) Linus distros have some sort of MTA (sendmail) as well as either a pop3 or imap counterpart. I STRONGLY recomend this site (http://qmailrocks.org) as well as this site (http://www.lifewithqmail.org) for configuring an email server. I personaly use the qmailrocks method to build my mail servers, and it provides all the functionality my users want along with some GREAT features. One suggestion, choose on of the sites to follow and do the instructions EXACTLY as they are listed. I've used both Redhat9 and Debian boxes to build these qmail servers and they both have run without issue for quite a long time.

As to your question about task seperation, I'm all for that. I'd put the firewall/router on one box, and throw a proxy like Squid on there too. This box could be a rather small box, but I'd look PII and up. If you are doing cache you might want to look into a SCSI hard drive. Then I'd do the file/print/mail/ftp(?)/instant message/whateverelse on a high-end box inside.

Any way you do it, it sounds like a very fun project. I'm happy to assist in any way, and I would be glad to hear from you once you have it installed.

Also, anyone else with this type of a solution in place please email me your success/failure stories (charon_79(at)hotmail.com). I'm in the process of pitching some Linux solutions to the management at my company, and they don't believe it is being used in a production enviroment in small to medium sized businesses. Even after I tell them I've been running Linux boxes for our own Intrusion Detection/Web Hosting/DNS/Email/FTP/etc. for years they still don't see it. I guess that's why they make the big bucks; it must cost a lot to keep a person with their head up their *$$ alive.

Cheers,

MrKnisely

Last edited by charon79m; 07-11-2004 at 12:04 AM.
 
Old 07-11-2004, 02:01 AM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
If you can spare a system, even a low end Pentium or a 486, you can use

SmoothWall OR ShoreWall or IPCOP. That will make a dedicated firewall gateway.

You can either leave File and Print Services to Win2K or use Mandrake/Slackware/Fedora to setup you file and print services, dhcp services, etc.
 
Old 07-11-2004, 02:31 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You should really separate the firewall/proxy from the file server/e-mail server, for all kinds of reasons. The most important of course is that a firewall should not run any thing other than the bare necessities to filter and forward packets.

For the firewall, if you're only going to run a packet filter and you're not going to add a proxy, then a 150MHz Pentium should work fine. If you are going to add a proxy to it, then you want to make sure you have very fast disks, fast data bus, etc... This would require more modern hardware. You'll also want plenty of fast RAM for the proxy (again, this requires modern hardware, like DDR). In either case, you shouldn't need a really fast CPU, but definitely Squid will take more than just the packet filter would. I know a lot of people who run packet filter firewalls on low-end 486 boxes and they work just great.

As for what OS to use for the firewall, it simply does not get any better than OpenBSD. The native packet filter is--simply enough--PF. It's so good that it's been imported into FreeBSD (even though FreeBSD already had two packet filters) and NetBSD (even though it already had one). The OpenBSD team has also added a lot of features that are not available in other Open Source packet filters, such as stateful firewall failover and high availability (built by default, not an add-on patch), and per-user authentication (without allowing login to the box itself).

The file server/e-mail server will get hit by a lot of disk I/O due to it's combine duties. You'll definitely want a fairly fast box for that task. Fast disks are essential (preferably in some kind of RAID striping). You'll also want a fast CPU and plenty of RAM. I don't know specifically, but I'm guessing for 50+ file and e-mail clients you would want something like a P4 3GHz or the equivilant AMD CPU.

As for software, Samba runs on just about every free OS in the world. It's bundled with most Linux distros, and it comes in the ports section of all the BSDs. For the e-mail server I would recommend either Postfix, or Qmail (in that order). Sendmail has had too many security flaws and it's bloated and slow. Exim would seem like a reasonable choice, but it's relatively unpopular compared to Postfix and Qmail. That means it's not as well tested as the other two (highlighted by the recent finding of a very serious security flaw in Exim).

Between Postfix and Qmail, postfix comes as a package for most Linux distros and in the ports for all the BSDs. Qmail has a weird license that basically forbids packaging it an altered form. Since at least a little customization is usually required, very few free OSs bundle it any more. Also, since the author of Qmail (DJB) is very opposed to people tinkering with his creation, he won't accept outside patches. This means that to get a useful and functional installation of Qmail that plays well with other MTAs, you need to install several patches. This is too annoying for some people, especially considering that Postfix requires no such tinkering. Postfix is also much easier to configure and administer in my opinion (having used both), but that's just an opinion.

So what OS to use for the server? Whatever you're comfortable with. Definitely you want to pick something that has an easy way to get and apply security patches, and something with a good track record of getting security fixes out quickly. Other than that, personally I prefer OSs that don't install a lot of bloat out of the box (like most for-fee Linux distros do), but again that's my opinion. I think anything you choose would do reasonably well for this (SuSE, Mandrake, Debian, Slackware, any of the BSDs, etc). Notice that I left out Fedora; I did that on purpose because I don't believe a production environment should be running unstable and experimental releases, which is essentially what Fedora is (the experimental version of the next Red Hat).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BSD Firewall vs Linux Firewall ? rootlinux Linux - Security 5 08-29-2007 07:38 AM
Small Linux Router/firewall behind D-Link Hardware router dleidlein Linux - Networking 6 04-30-2007 05:12 AM
Can linux/bsd firewall block malware? hottdogg General 1 11-19-2005 12:49 AM
Partitioning help - Win2k + Solaris(or BSD) + 1-2 Linuxes: Need help sidewalking Linux - Newbie 3 07-06-2005 08:49 PM
Replacing checkpoint firewall, arp table itsjustme Linux - Security 1 12-30-2004 01:10 PM


All times are GMT -5. The time now is 05:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration