*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I used FreeBSD for a short time, and I was immediately sold on BSD. Definitely won me over...and I absolutely LOVED Slackware. So I went looking for something for a server situation and stumbled upon OpenBSD, and I'm quite interested. So here's what I'm thinking for a server running OpenBSD along with network configuration.
I'm by no means a professional, or even an amateur. I absolutely suck and could be wrong on SEVERAL points as I'm just now actually getting into Server/Client services in networking (more familiar with the ease of P2P). And I'm REALY inexperienced with OpenBSD (haven't installed it yet) and UNIX networking in general.
I run a small network at home with four devices connected at any one time, though those devices may vary and who uses those devices definitely varies. I briefly used Windows Server 2003 (Ugh...I know) and its Domain Controller service mainly to manage users centrally. I'm pretty sure the UNIX equivalent of this is OpenLDAP, but I'm not sure. Confirmation, please? I'm not interested in the advanced features of Active Directory/Domain Controllers (whatever their UNIX equivalents may be) such as standard images, storing user settings, etc... I just want centralized user authentication, and to deny the DHCP service to anyone not authenticated.
So here's my network scheme thus far:
DHCP will assign addresses to clients in the range of 192.168.1.200 - 192.168.1.210. Servers will be assigned to IP addresses above 192.168.1.240.
A single physical server will fullfil the following roles:
DHCP
DNS
Domain Controller (For centralized authentication [Again, OpenLDAP, I guess?]
HTTP
FTP
The server will also have SSH enabled for remote administration.
Now, based on what I know from Windows 2003 (again, how I managed is beyond me), I can have a separate IP address configured for each service, even though I have a single NIC installed and wired.
For example, on my Windows Server 2003 machine, I had an IP address of 192.168.1.100 for the DHCP role, 192.168.1.101 for the DNS role, and 192.168.1.102 for the HTTP role.
Now, for my OpenBSD server, I am considering the following:
DHCP/DNS/OpenLDAP all running on 192.168.1.240
HTTP/FTP both running on 192.168.1.245
SSH running on 192.168.1.250.
Can this be done? There is only 1 physical NIC installed and wired, and it's probably going to stay that way. There's no REAL reason for this other than perceived additional security from one of my professors...who is a Windows advocate, so maybe he's wrong. =D According to him, doing something like this prevents other services on the server from being compromised. Is this true?
I'm not asking for any information on HOW to set this stuff up. I can find that on my own, and when I have specific questions I can ask here again. Right now, I just want to know if all of this sounds correct and viable, and for any top-level suggestions.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
There's really not much point in putting different services on different IPs, that's just more Microsoft-based mumbo-jumbo, remember these are the same people who had the "you'll always have a firewall, so we don't need to worry about securing our services" attitude all through the 90's and early 00's. The only time there's any point to having them run on different internal services is if you have to NAT to them from the outside, and your firewall doesn't support port-forwarding (hence you need one external IP for each DNS address). Any way, never mind that.
There are lots of services that can provide authentication, but it depends on what you're authenticating for. Kerberos is the closest thing to what Windows authentication does, mainly because Microsoft ripped-off and royally screwed up Kerberos for their "NTLM" authentication. Many UNIX services support Kerberos for authentication.
As for not being able to get a DHCP address unless you're authenticated in some way... I've never heard of doing that with ISC dhcpd. I suppose it might be possible, so check the documentation. If you want to deny Internet access until someone authenticates, OpenBSD has a great utility called "authpf" which will wait for a user to ssh to the machine with correct authentication credentials, then it will automatically insert firewall rules that allow them to connect to the Internet. I used that on Windows machines before by scripting PuTTY with a private key for authentication.
OpenBSD can be a great server, and it's hands-down the best firewall OS in the world, but trying to duplicate all the features of a Windows network on UNIX is probably going to prove frustrating.
I'm not trying to duplicate Windows features on UNIX...that would defeat the point of UNIX.
I've never been a Windows advocate, and the only reason I've used Windows Server is because (at my campus) only the Windows networking classes are offered, and the instructor for those classes is always available. I won't be taking those classes, but being able to do something pretty quick and dirty was convenient (for a while).
There are more things than I can count that frustrated me about Windows Server...and that's after only 1 week!
Thanks for clearing up using different internal IP addresses for different services. I secretly figured it was MS mumbo-jumbo...I find it difficult to believe in an OS (especially a server OS) when the (now former) CEO said that the internet was a passing fad.
I'll look into Kerberos and drop the idea of OpenLDAP and Domain Controllers...DCs didn't really interest me and I never saw the real point of them.
As for authpf, it sounds like it's exactly what I was looking for...I was simply under the impression that in order for my system to deny internet access, it would have to be physically setup as follows:
Modem --> Server --> Router/Switch --> Client PCs
which would require 2 NICs in the server...if this is not required, however, I'll definitely be looking into this.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Yes, you need two NICs (unless your PCs support VLAN trunking, which is doubtful). NICs are cheap, though. You can get a very decent modern one for $40, or a previous-generation PCI NIC for $5 at a surplus computer store (or website). If you don't have enough slots in your case, you can get a USB ethernet adaptor and use it for the external interface that plugs into the router/modem/whatever, since the bandwidth to the Internet is a lot less than what the USB adaptor will support any way.
There's really not much point in putting different services on different IPs, that's just more Microsoft-based mumbo-jumbo
Not really - it's useful if you want to move a service to a different physical machine without clients knowing it. We use it a lot on AIX and z/OS (where they are called VIPA or DVIPA).
Much easier and quicker imho as changing the DNS "A" record.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by uselpa
Not really - it's useful if you want to move a service to a different physical machine without clients knowing it. We use it a lot on AIX and z/OS (where they are called VIPA or DVIPA).
Much easier and quicker imho as changing the DNS "A" record.
Most companies do that with load-balancers.
PS My comment was directly to the OP on the value of using different IPs for a) security and b) in the context of a small home network, neither of which was address by your reply. The fact is it's not better security, and there's really no point to do it for a small network with only one server.
You use a load balancer if you have more than one instance of a service. But if you only have one instance, such as in a home network, there's no sense in distributing a load. But you can still want to move a service to a different machine, and then a virtual IP address for your application makes sense.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.