Hi!

We have a wireless network at home, with two laptops (one with SuSE 11.1 and one with Kubuntu 8.10) and a PC (with SuSE 11.1). All machines connect via wireless to a wireless router, where is connected (via cable) a ADSL modem.

We are now thinking in use an "old" Mac G4 as File and backup Server, and are looking for the best option to integrate this to our home network.

For now, we're thinking in use a LAN to do this, because all machines have N ports that we aren't using, and we are looking for something that don't "overload" the wireless network and the LAN is faster than our WAN.

So, I'd like to know if make another network (now a LAN) is possible, or we'll have any problem with the WAN.

Another question is if it's possible to use 2 hubs to make this second network. What we would like to do is to connect the file server and a notebook on one hub, and the PC and the other notebook on another hub, and then connect the two hubs. We think on do this because two machines are at one ace on the house and the other two will be on another place, and we would like to avoid pass many cable's. This way, we need to pass only one cabe from one place to another (what is acceptable).

There is another way to do this?

Another thing that concern me is the security question...
How to make all machines "see" each other (and the File and Backup server) but make the WAN and LAN network don't "see" each other? What we can do to prevent security problems with our files?

And more... There is another options to do what we wanna????

Any thoughts are welcome!!!

Does your wireless router have wired ethernet switch ports? Is the router a NAT router & DHCP server. If so simply connect the G4 directly to the router. The router will connect to the switch port. You could install a wireless NIC card in the G4 instead. What OS do you have on the G4. If it is Linux or OS X, then you can run an NFS server on the G4.

I hope you are using WPA encryption for the wireless hosts. Most routers have switch ports rather than hub ports today. However the wireless side is more like a hub than a switch. All of the traffic is visible to each host, similar to how it would be with wireless hubs.

If your router is a NAT router, then by the nature of how NAT works, it is also a firewall. If you want to offer a service on the internet, such as a web server, you need to forward the port used ( e.g. port 80 for a web server) by the service to the computer running the service. Also run a firewall on each machine and only open up ports you need for services you are offering to other computers on the lan.

---

There are some things you need to do to lock down the router.

• Change the default username and password for administering the router.
• Use a strong password on your router.
• Update the firmware on your router. There could be some security problems if you don't.
• If possible only allow administration on a wired connection.
• Use WPA encryption.
• Use a strong PSK KEY. I use a 32 byte (64 hex digit) random key.

There are things to do on the hosts as well. Apply security patches to your two hosts and the G4 machine. For the G4 file server, only install the minimum necessary, since you are only using it as a fileserver, you don't even need to install xorg on it. Go for a minimum Linux install. When it comes to servers, less is better. The fewer open ports, the fewer services running, the better. The fewer number of programs installed, the better. Besides presenting a smaller attack surface, you will not have security issues for software that isn't installed. This also means you won't have to patch software as often because you aren't running it.

For a server, consider a dedicated partition for /tmp and /var. Filling up the /var/ (or /var/log/) partition won't fill up the root partition. You can also use the "noexec", "nosuid" and "nodev" options to mount a separate /tmp partition. The /tmp directory is world writable, so you don't want a baddy dumping an executable there. It is still possible for an attacker running programs there, but they have one more speed bump do deal with, and it makes an automated attack less likely to succeed.

You could install Xorg but not install any window environment or window manager, such as KDE or Gnome on it. You can ssh into it (ssh -X user@host) and still use a graphic administrative program that the server's distro uses. The X server is on the terminal side, not on the G4 file server. So you can run the fileserver in a non X mode. E.G. init level 3 for SuSE or Fedora or Mandriva. ( Debian & Slackware assign the run levels differently by the way ) Run the noscript plugin on your firefox web browsers. Enable scripting only for web sites you trust. This can help prevent javascript based exploits. You can probably disable java in your web browsers without any problem.

You will probably run ssh on your hosts. Use the "AllowUsers" option. Use PKA (Public Key Authentication). The instructions for doing so are in the /etc/ssh/sshd_config file, just above the "UsePAM" line. This will protect you from script kiddie brute force attacks against system accounts & common user names. Disallow root logins.

If you forward ssh on your router, to enable logging in from a remote location (work, school, a friends house) change the port you use for SSH. For most routers you could forward a higher number port to port 22 on the LAN side. You could forward different ports to port 22 on each host to enable logging in to any host you have.


Good Luck.