Replacing a win2k router/firewall with Linux/BSD, which?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
Replacing a win2k router/firewall with Linux/BSD, which?
********************************* SHORT VERSION:
I want to replace a Windows 2000 Server with an alternative, more secure and free BSD or Linux distribution. Im asking which 'distribution' is more suitable for the task of being:
* A router, to connect all the PCs to the ADSL line
* A firewall, to protect the network
* Sharing some files accross the network
and if i could use the same PC to provide:
* A mailing server (?) I dont know much about them, what i need is to be able to send internal mails between the office's PCs throght the network and fast. (a messager i guess its not suitable as there is the need to attach files, and sending a long instant message and then a file thrrugh it is quite ... )
* heavy file and printer sharing posibilities
If you want skip long story and go to the options below
********************************* LONG STORY:
The server is used as a gateway to a ADSL connection for 50+ PCs, ranging from Pentium 133mhz to Athlon 2000+, this means from Windows 95 to 2000 Pro clients.
The PCs are used for office management, and one of the most important points is the mailing , so if this server can give mailing service would be much better too, as i could get ride of the other Win 2k with Exchange Inbox on it, the exchange server box is used for internal mails (to send emails between the offices) and just that, not as a server for outgoing mails.
Im planning on setting up in a test PC, dont know the specs yet, but it could be as low as a Pentium 150Mhz or as high as a Celeron 1.4Ghz, any recomendations on implementing all the things in the same box?
Is there really a need of a powerfull PC to share files accross the network, provide printer access and internal mail serving along with routing and firewall?
Do you think is better to handle the two first points (router and firewall) with a cheap PC as a Pentium 150Mhz and the other two with a more powerfull one and behind the firewall?
Here i name a few options, and you tell me what you think of them or if you have one that i dont name, just post about it.
I really dont know much about BSDs, so i cant tell which of the 3 most popular (OpenBSD, NetBSD, FreeBSD) could be the right one, or if there is a Linux distribution ready for the job, ive been looking in www.distrowatch.com, as i always check this site as its a real nice source of infomation about the different distributions, i have found several, from LiveCDs to not-free server optimized ones. I only list the Free ones, as one of the main point on the change to this (to the company) is to reduce licence costs.
Or do you think a more classical distribution as SUSE, Mandrake, Slackware, Debian or any other 'known' will do the job without much hassle??
I didnt ordered the distributions in a partticular order, i plan to try them all if i think they worth it, but this would make the transition much slower, thats why im asking your opinion, as i guess i will go with the 'most popular' first and then if i like it, stay with it...
Hope to get some feedback on this, as i really want to carry this on, but i will have to go andtell my boss the hole plan, and have a real nice and convincing one in fact.
Distribution: Just about anything... so long as it is Debain based.
Wow, that's a lot of questions in one post, and I'm not sure if this really falls into this category.
I'll do my best to answer most of them.
First off, any time you're sharing files accross the netowork, and those files are important, you want the most reliable box you can posibly have. When you put other tasks ontop of that, such as email, it even further pushes the need for a good box. As to the processing power you will need, I've set up an email/database/web/samba server on a PII 233 recently. It served about 4 users without a hitch; however, in your post you say 50+ PCs. That number sounds high for a low end box, but remember, it realy all depends on how much your users are hitting it.
Given your requirements for this box, I'd build it from a nice distro instead of trying to use one of the canned solutions. They're great for the niche for which they were designed, but I've experienced sever growing pains with trying to modivy some of the canned solutions.
As to the distro to use, I'm a Debian fan when it comes to my servers. It's just incredibly streamlined durring the installation; you only get what you want. That being said though, you're probably going to want to go with something like Redhat/Fedora for ease of use.
As for email, almost all (probably even all) Linus distros have some sort of MTA (sendmail) as well as either a pop3 or imap counterpart. I STRONGLY recomend this site (http://qmailrocks.org) as well as this site (http://www.lifewithqmail.org) for configuring an email server. I personaly use the qmailrocks method to build my mail servers, and it provides all the functionality my users want along with some GREAT features. One suggestion, choose on of the sites to follow and do the instructions EXACTLY as they are listed. I've used both Redhat9 and Debian boxes to build these qmail servers and they both have run without issue for quite a long time.
As to your question about task seperation, I'm all for that. I'd put the firewall/router on one box, and throw a proxy like Squid on there too. This box could be a rather small box, but I'd look PII and up. If you are doing cache you might want to look into a SCSI hard drive. Then I'd do the file/print/mail/ftp(?)/instant message/whateverelse on a high-end box inside.
Any way you do it, it sounds like a very fun project. I'm happy to assist in any way, and I would be glad to hear from you once you have it installed.
Also, anyone else with this type of a solution in place please email me your success/failure stories (charon_79(at)hotmail.com). I'm in the process of pitching some Linux solutions to the management at my company, and they don't believe it is being used in a production enviroment in small to medium sized businesses. Even after I tell them I've been running Linux boxes for our own Intrusion Detection/Web Hosting/DNS/Email/FTP/etc. for years they still don't see it. I guess that's why they make the big bucks; it must cost a lot to keep a person with their head up their *$$ alive.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
You should really separate the firewall/proxy from the file server/e-mail server, for all kinds of reasons. The most important of course is that a firewall should not run any thing other than the bare necessities to filter and forward packets.
For the firewall, if you're only going to run a packet filter and you're not going to add a proxy, then a 150MHz Pentium should work fine. If you are going to add a proxy to it, then you want to make sure you have very fast disks, fast data bus, etc... This would require more modern hardware. You'll also want plenty of fast RAM for the proxy (again, this requires modern hardware, like DDR). In either case, you shouldn't need a really fast CPU, but definitely Squid will take more than just the packet filter would. I know a lot of people who run packet filter firewalls on low-end 486 boxes and they work just great.
As for what OS to use for the firewall, it simply does not get any better than OpenBSD. The native packet filter is--simply enough--PF. It's so good that it's been imported into FreeBSD (even though FreeBSD already had two packet filters) and NetBSD (even though it already had one). The OpenBSD team has also added a lot of features that are not available in other Open Source packet filters, such as stateful firewall failover and high availability (built by default, not an add-on patch), and per-user authentication (without allowing login to the box itself).
The file server/e-mail server will get hit by a lot of disk I/O due to it's combine duties. You'll definitely want a fairly fast box for that task. Fast disks are essential (preferably in some kind of RAID striping). You'll also want a fast CPU and plenty of RAM. I don't know specifically, but I'm guessing for 50+ file and e-mail clients you would want something like a P4 3GHz or the equivilant AMD CPU.
As for software, Samba runs on just about every free OS in the world. It's bundled with most Linux distros, and it comes in the ports section of all the BSDs. For the e-mail server I would recommend either Postfix, or Qmail (in that order). Sendmail has had too many security flaws and it's bloated and slow. Exim would seem like a reasonable choice, but it's relatively unpopular compared to Postfix and Qmail. That means it's not as well tested as the other two (highlighted by the recent finding of a very serious security flaw in Exim).
Between Postfix and Qmail, postfix comes as a package for most Linux distros and in the ports for all the BSDs. Qmail has a weird license that basically forbids packaging it an altered form. Since at least a little customization is usually required, very few free OSs bundle it any more. Also, since the author of Qmail (DJB) is very opposed to people tinkering with his creation, he won't accept outside patches. This means that to get a useful and functional installation of Qmail that plays well with other MTAs, you need to install several patches. This is too annoying for some people, especially considering that Postfix requires no such tinkering. Postfix is also much easier to configure and administer in my opinion (having used both), but that's just an opinion.
So what OS to use for the server? Whatever you're comfortable with. Definitely you want to pick something that has an easy way to get and apply security patches, and something with a good track record of getting security fixes out quickly. Other than that, personally I prefer OSs that don't install a lot of bloat out of the box (like most for-fee Linux distros do), but again that's my opinion. I think anything you choose would do reasonably well for this (SuSE, Mandrake, Debian, Slackware, any of the BSDs, etc). Notice that I left out Fedora; I did that on purpose because I don't believe a production environment should be running unstable and experimental releases, which is essentially what Fedora is (the experimental version of the next Red Hat).