LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-04-2008, 09:46 PM   #1
lifeforce4
Member
 
Registered: May 2003
Location: 2:16:840
Distribution: Slackware, CentOS, RedHat, Xubuntu
Posts: 169
Blog Entries: 1

Rep: Reputation: 32
Question Setting up this way a good or bad idea?


I am building a box that I want as a storage server for all my files. Then I had the idea of using it as a web server and also network monitor/firewall. I have seen a system running IPcop and what was explained to me at the time seemed really like nice security features. What do you guys think about running SAMBA, Apache, on a system also running IPcop? This is only a maybe I have an old system I will try IPcop on first as a stand alone and the server will just be SAMBA and Apache.

Thanks,
Kyle
 
Old 06-05-2008, 12:38 AM   #2
nolinuxnollife
Registered User
 
Registered: Jan 2005
Location: india
Distribution: RedHat and Madrake
Posts: 55
Blog Entries: 1

Rep: Reputation: 15
You can run as many services as you want on a firewall machine(ipcop in ur case) if the data is not at all important for you..
A firewall machine acts as a landing point to any LAN to secure the corporate data..

In your case if you block ports and unauthorised access with proper tcp-wrappers,PAM, iptables.. itcan act very well for all your purposes..

thank you
mahen
 
Old 06-05-2008, 07:41 AM   #3
lifeforce4
Member
 
Registered: May 2003
Location: 2:16:840
Distribution: Slackware, CentOS, RedHat, Xubuntu
Posts: 169
Blog Entries: 1

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by nolinuxnollife View Post
You can run as many services as you want on a firewall machine(ipcop in ur case) if the data is not at all important for you..
A firewall machine acts as a landing point to any LAN to secure the corporate data..

In your case if you block ports and unauthorised access with proper tcp-wrappers,PAM, iptables.. itcan act very well for all your purposes..

thank you
mahen
I never really heard of anyone putting data on a firewall machine before which is why I asked. Would it be just as secure as if the firewall was its own box and the data server is connected by a switch? Assuming the firewall is configured the same for both setups.

Thanks,
Kyle
 
Old 06-05-2008, 08:10 AM   #4
mickza
Member
 
Registered: Mar 2005
Location: South Africa
Distribution: Centos, Fedora, Ubuntu desktop, IPCop
Posts: 168

Rep: Reputation: 33
My preference is to run a dedicated firewall / router like IPCop as a separate system. I just think it makes more sense this way.
 
Old 06-05-2008, 08:49 AM   #5
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
There's no issues running an all in one type of machine instead of running multiple machines to do one task. It's your setup, do as you wish that suits you best. Now in a corporate world, running a file server on your firewall with a lot of traffic just wouldn't make sense really.
 
Old 06-05-2008, 08:56 AM   #6
DotHQ
Member
 
Registered: Mar 2006
Location: Ohio, USA
Distribution: Red Hat, Fedora, Knoppix,
Posts: 542

Rep: Reputation: 33
Quote:
Originally Posted by trickykid View Post
There's no issues running an all in one type of machine instead of running multiple machines to do one task. It's your setup, do as you wish that suits you best. Now in a corporate world, running a file server on your firewall with a lot of traffic just wouldn't make sense really.
Ditto what TK said.
Just watch your load average and response time. That will tell you if you've overloaded the server.
(uptime / top / or sar all will show you load average. The default sar setup on many systems will collect load average stats every 10 minutes, so you can see how it is performing for the entire day.)
 
Old 06-05-2008, 08:34 PM   #7
lifeforce4
Member
 
Registered: May 2003
Location: 2:16:840
Distribution: Slackware, CentOS, RedHat, Xubuntu
Posts: 169
Blog Entries: 1

Original Poster
Rep: Reputation: 32
Thanks for all the advice, I personally worried about compromises having other things running on the box besides a firewall. Its just more opportunities to have a glitch somewhere. I have an old 366(oc 450mhz) Cele with 576MB and 20 GB drive. I think I will use that solely for a firewall then have my file server on my switch.

Thanks,
Kyle
 
Old 06-08-2008, 03:24 PM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
I think you're doing the right thing, & it's not just loading, it's also security. The idea is that the fewer services running & applications installed, the fewer places for bad guys to infiltrate. SmoothWall Express (the original parent of IPCop) doesn't even install man & the man pages -- just 1 less thing to patch.

IPCop is designed to have a 3rd NIC, the "Orange" interface, to put your server on in a DMZ. You also put it on your LAN & port forward to it.
 
Old 06-08-2008, 08:47 PM   #9
lifeforce4
Member
 
Registered: May 2003
Location: 2:16:840
Distribution: Slackware, CentOS, RedHat, Xubuntu
Posts: 169
Blog Entries: 1

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by archtoad6 View Post
I think you're doing the right thing, & it's not just loading, it's also security. The idea is that the fewer services running & applications installed, the fewer places for bad guys to infiltrate. SmoothWall Express (the original parent of IPCop) doesn't even install man & the man pages -- just 1 less thing to patch.

IPCop is designed to have a 3rd NIC, the "Orange" interface, to put your server on in a DMZ. You also put it on your LAN & port forward to it.
Oh so IPcop is a child to Smoothwall I did not know that. I knew about smoothwall(never saw or used it) and never heard of IPcop until I came back from South Africa. Which do you recommend would be better? I most likely will use NAT for the server and the PAT to the different computers with my router and switch. This server would be a website server as well as LAN file server. That is kinda nice to have a separate NIC for a DMZ. Which one would you recommend, since I dont really know the differences between the two?

Thanks,
Kyle

Last edited by lifeforce4; 06-08-2008 at 08:57 PM.
 
Old 06-09-2008, 02:13 AM   #10
mickza
Member
 
Registered: Mar 2005
Location: South Africa
Distribution: Centos, Fedora, Ubuntu desktop, IPCop
Posts: 168

Rep: Reputation: 33
Smoothwall provides licensed & open source versions of their firewall see

http://download.smoothwall.net/pdf/F...Comparison.pdf for features.

IPCop is totally open source with many 3rd party addons which sometimes break when a IPCop update is realeased, which is why I usually let the dust settle before updating my sites.

Your proposed box specs sound fine for either (ignore any comments you might see about running on 486 boxes with 32Mb memory).

I run BLUE, ORANGE and GREEN on my IPCops with OpenVPN net to net linking them all - works great with very little maintenance required.

Last edited by mickza; 06-09-2008 at 02:16 AM. Reason: missed reference to ORANGE
 
Old 06-09-2008, 05:48 AM   #11
lifeforce4
Member
 
Registered: May 2003
Location: 2:16:840
Distribution: Slackware, CentOS, RedHat, Xubuntu
Posts: 169
Blog Entries: 1

Original Poster
Rep: Reputation: 32
Thank you for the explanations. I did know that much about smoothwall just heard its name before. That is also something good to know that sometimes addons in IPcop bomb out with new updates. I guess I will learn as I set it up should not be to difficult.

Thanks again,
Kyle
 
Old 06-09-2008, 07:06 AM   #12
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
My Background
I have been using SmoothWall Express (=free) 2.0 for 4 or 5 years. Although there are community add-ons, I made a KISS & security policy not to mess w/ them. The only thing I edit is dnsmasq.conf, & that only to block undesirable domains like ad sources.

I have a test SmoothWall Express (=free) 3.0 up, but run only 1 box through it. I like its installer & web interface better (than 2.0), & I will very much like the new features in dnsmasq.conf syntax that come w/ the newer ver. of dnsmasq that is included. They have changed the color code for wireless to Purple (see chart below). Normally, I would would complain that that is confusing; but in this case, I always thought that Blue sounds too "trusted" for wireless.

I have done test installs of IPCop, but I haven't really used it yet.

When I said that SmoothWall is "the original parent of IPCop", I used the word "original" because since the fork some years ago, I understand they have they have replaced all the original SmoothWall code -- it is now based on LFS.

Some Differences
IIRC, I have a picky complaint about the way the IPCop installer deals w/ choosing the interfaces, but that is minor.
SmoothWall 3's limited outbound traffic control is intriguing.
IPCop is Open Source, indeed GPL 2.
IPCop's add-ons (to me) are part of the main project.

Conclusion
I don't have enough experience yet w/ IPCop to pick between them.

Wikipedia links
IPCop
SmoothWall

Firewall Interface Color Code Chart
Code:
Interface    IPCop & SW2   SmoothWall 3
LAN (wired)     Green        Green  
DMZ             Orange       Orange
Internet        Red          Red
Wireless        Blue         Purple

BTW, mickza, thanks for the link.
 
  


Reply

Tags
firewall, ipcop, smoothwall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When is RAID a good/bad idea? jayeola Linux - Hardware 4 07-11-2007 11:31 PM
Good idea/bad idea: interface colors introuble General 5 10-30-2006 01:33 PM
TOMCAT: good or bad idea chadi Linux - General 3 11-02-2004 06:42 PM
Is this a good or bad idea? kemplej Linux - Software 2 10-26-2004 09:34 AM
User Private Groups - Good idea or bad? thegeekster Linux - General 0 08-12-2004 05:39 PM


All times are GMT -5. The time now is 02:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration