But, did you do this through ICS, or via IPTABLES?
-----Original Message-----
From: Darcy Brodie, CJL [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 19, 2003 6:05 PM
To: [EMAIL PROTECTED]
Subject: Re: (clug-talk) Personal experiene: Mandrake 9 on servers
Hello all
I will comment on this with lots of personal experience (6 MDK boxes
as firewall / servers in Calgary). Portforwarding is actually very easy
in versions 8.0 on. I have managed to forward connections from just 1
remote IP address to an internal IP all the way to the entire internet
having access to a FTP server behind the firewall.
Darcy
Shawn Grover wrote:
>Did you happen to notice if the ICS will allow port forwarding from the
>external network to a server on the internal net?
>
>In my efforts to build a Linux firewall for my home network, I tried a few
>of the floppy router packages (specifically Coyote and Freesco). These
>packages were easy to setup and get going - if I only wanted to share my
>internet connection with all the pc's on my internal network. However, I'm
>trying to also host a web/ftp/mail server, so need to allow external
>requests of an internal server. Unfortunately, the ease of use broke down
>for these floppy packages once I tried to do port forwarding.
>
>End result is that I'm now running RH8 with a minimal server install (no X
>or other such stuff) - the only exra packages I specifically wanted was
Bind
>and VIM. After some pains trying to learn iptables (I still have a long
>ways to go...), I have the router I'm after. Just need to fix up my DNS
>issues now (I'll probably post more on this in the near future - I'm sure
>I'll need help).
>
>So, seeing your post Aaron, I'm curious if port forwarding is an option for
>ICS?
>
>Thanks for any info.
>
>Shawn
>
>-----Original Message-----
>From: Aaron J. Seigo [mailto:[EMAIL PROTECTED]]
>Sent: Saturday, January 18, 2003 11:58 PM
>To: [EMAIL PROTECTED]
>Subject: (clug-talk) Personal experiene: Mandrake 9 on servers
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi...
>
>in the last couple weeks some people have asked about sharing internet
>connections and setting up appropriate security measures on linux machines.
>well, last night i decided to try out Mandrake 9 as a server. i've never
>used
>it for a server before, just desktop stuff, so i was interested in how it
>would do.
>
>and it did wonderfully IMHO, and i would recommend it way above Red Hat for
>new users looking to set up a server. why? well, connection sharing and
>security are two good examples:
>
>ICS: to set up internet connection sharing you go to the Mandrake Control
>Center, click on Network and then click on Internet Connection Sharing.
this
>
>lets you launch a wizard that sets it up for you in 3 easy steps, 2 of
which
>
>are informative messages letting you know what it is about to do. couldn't
>be
>simpler and it worked instantly. now, you can do this by hand of course,
but
>
>this is often more than a new user is ready to learn and more than a busy
>person such as myself really cares to deal with.
>
>Security settings: Sean Dockery commented how many UNIXes do things such as
>put su in the wheel group, allowing you to easily control such things, and
>noted that he hadn't noticed such settings. I replied that since such
things
>
>are really only appropriate for production servers with sensitive data on
>them (for everyone else it's just a nuisance ;), most linux distros don't
>ship with those defaults. Enter MDK9.... I hadn't played much w/Mandrake's
>security level settings previously, but I decided this time to muck around
a
>
>bit. By setting the security level to "high", I could control on a
>user-by-user basis who had access to rpm, su, /etc, service control and
>more... you can even add your own rules. there is a nice GUI to manage all
>this in the control center, but behind the scenes it works in a way that
>will
>be most familiar to most UNIX admins: namely, su is owned by the wheel
>group,
>and similar privsos are put on other resources.
>
>so while MDK doesn't allow you to do anything you couldn't do on other
>distros
>such as RH, it does make it painfully easy and quick.
>
>and the install is quite small, too. w/out any desktop stuff (though i did
>keep X on there so i can futz around with the control center tools some
>more)
>it used 450MB of disk. with a bit of urpme'ing i got that down easily to
>380MB. still not the slimmest of the slim, but not bad for a user friendly
>distro. i'm sure if i ditched the X stuff it would've fallen close to, if
>not
>under, 300MB.
>
>the urpm[ieq] tools deffinitely made managing the software a breeze
compared
>
>to doing it with plain ol' rpm (much like doing things on debian w/out apt
>is
>a bother)
>
>caveats to MDK9:
>
> o since their tools are written in perl and therefore a bit slow and prone
>to
>the general shodiness of script language tools, it seems there are some
race
>
>conditions. you don't want to be multitasking admin jobs while using their
>tools, otherwise you may end up hanging apps (e.g. i managed to stall the
>ICS
>control panel this way and had to xkill it)
>
> o rpmdrake doesn't show ALL the packages installed in the "remove
software"
>
>control panel. this was annoying since they install a bunch of useless
stuff
>
>like GNOME libs when i had not asked for them. i didn't want anything more
>than X + icewm + the MDK utils. things like ORBit didn't show up in the
>Remove Software panel, but did show up using rpm from the command line. i'm
>sure there's a way to tweak this (i just haven't looked into it yet), but
>it's a bit annoying that this is the default mode. bah.
>
> o the text mode install is broken beyond belief. many of the steps get
>missed
>over, parts of screens (explanatory text and options) are missing, it's
>confusingly laid out, and there is no obvious way of backing up a step or
>two. obviously this isn't a priority to MDK, which is unfortunate. i
>wouldn't
>recommend installing MDK on a box that can't handle the GUI install mode.
>but
>that's ok: i used the GUI install and the system is a paltry P90 w/32MB of
>RAM and an S3 video card w/1MB of VRAM. not a hotrod, but perfect for a
>firewall / fileserver. the GUI install worked beautifully w/out a hitch.
>
>so i'd deffinitely recommend MDK9 to anyone looking to install and get
>learning as it really eases the learning curve and shortens the time needed
>to spend before having something useful...
>
>- --
>Aaron J. Seigo
>GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
>
>"Everything should be made as simple as possible, but not simpler"
> - Albert Einstein
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQE+Kkxh1rcusafx20MRAnmrAJ9u5i/rQ96RCo6xI0QrErHR0+2XSACgippf
>7VVvF1gesGk36vpGthVcsnw=
>=qmeN
>-----END PGP SIGNATURE-----
>
>
>
