via IPTABLES
Shawn Grover wrote:
But, did you do this through ICS, or via IPTABLES?
-----Original Message-----
From: Darcy Brodie, CJL [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 19, 2003 6:05 PM
To: [EMAIL PROTECTED]
Subject: Re: (clug-talk) Personal experiene: Mandrake 9 on servers
Hello all
I will comment on this with lots of personal experience (6 MDK boxes
as firewall / servers in Calgary). Portforwarding is actually very easy
in versions 8.0 on. I have managed to forward connections from just 1
remote IP address to an internal IP all the way to the entire internet
having access to a FTP server behind the firewall.
Darcy
Shawn Grover wrote:
Did you happen to notice if the ICS will allow port forwarding from the
external network to a server on the internal net?
In my efforts to build a Linux firewall for my home network, I tried a few
of the floppy router packages (specifically Coyote and Freesco). These
packages were easy to setup and get going - if I only wanted to share my
internet connection with all the pc's on my internal network. However, I'm
trying to also host a web/ftp/mail server, so need to allow external
requests of an internal server. Unfortunately, the ease of use broke down
for these floppy packages once I tried to do port forwarding.
End result is that I'm now running RH8 with a minimal server install (no X
or other such stuff) - the only exra packages I specifically wanted was
Bind
and VIM. After some pains trying to learn iptables (I still have a long
ways to go...), I have the router I'm after. Just need to fix up my DNS
issues now (I'll probably post more on this in the near future - I'm sure
I'll need help).
So, seeing your post Aaron, I'm curious if port forwarding is an option for
ICS?
Thanks for any info.
Shawn
-----Original Message-----
From: Aaron J. Seigo [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 18, 2003 11:58 PM
To: [EMAIL PROTECTED]
Subject: (clug-talk) Personal experiene: Mandrake 9 on servers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi...
in the last couple weeks some people have asked about sharing internet
connections and setting up appropriate security measures on linux machines.
well, last night i decided to try out Mandrake 9 as a server. i've never
used
it for a server before, just desktop stuff, so i was interested in how it
would do.
and it did wonderfully IMHO, and i would recommend it way above Red Hat for
new users looking to set up a server. why? well, connection sharing and
security are two good examples:
ICS: to set up internet connection sharing you go to the Mandrake Control
Center, click on Network and then click on Internet Connection Sharing.
this
lets you launch a wizard that sets it up for you in 3 easy steps, 2 of
which
are informative messages letting you know what it is about to do. couldn't
be
simpler and it worked instantly. now, you can do this by hand of course,
but
this is often more than a new user is ready to learn and more than a busy
person such as myself really cares to deal with.
Security settings: Sean Dockery commented how many UNIXes do things such as
put su in the wheel group, allowing you to easily control such things, and
noted that he hadn't noticed such settings. I replied that since such
things
are really only appropriate for production servers with sensitive data on
them (for everyone else it's just a nuisance ;), most linux distros don't
ship with those defaults. Enter MDK9.... I hadn't played much w/Mandrake's
security level settings previously, but I decided this time to muck around
a
bit. By setting the security level to "high", I could control on a
user-by-user basis who had access to rpm, su, /etc, service control and
more... you can even add your own rules. there is a nice GUI to manage all
this in the control center, but behind the scenes it works in a way that
will
be most familiar to most UNIX admins: namely, su is owned by the wheel
group,
and similar privsos are put on other resources.
so while MDK doesn't allow you to do anything you couldn't do on other
distros
such as RH, it does make it painfully easy and quick.
and the install is quite small, too. w/out any desktop stuff (though i did
keep X on there so i can futz around with the control center tools some
more)
it used 450MB of disk. with a bit of urpme'ing i got that down easily to
380MB. still not the slimmest of the slim, but not bad for a user friendly
distro. i'm sure if i ditched the X stuff it would've fallen close to, if
not
under, 300MB.
the urpm[ieq] tools deffinitely made managing the software a breeze
compared
to doing it with plain ol' rpm (much like doing things on debian w/out apt
is
a bother)
caveats to MDK9:
o since their tools are written in perl and therefore a bit slow and prone
to
the general shodiness of script language tools, it seems there are some
race
conditions. you don't want to be multitasking admin jobs while using their
tools, otherwise you may end up hanging apps (e.g. i managed to stall the
ICS
control panel this way and had to xkill it)
o rpmdrake doesn't show ALL the packages installed in the "remove
software"
control panel. this was annoying since they install a bunch of useless
stuff
like GNOME libs when i had not asked for them. i didn't want anything more
than X + icewm + the MDK utils. things like ORBit didn't show up in the
Remove Software panel, but did show up using rpm from the command line. i'm
sure there's a way to tweak this (i just haven't looked into it yet), but
it's a bit annoying that this is the default mode. bah.
o the text mode install is broken beyond belief. many of the steps get
missed
over, parts of screens (explanatory text and options) are missing, it's
confusingly laid out, and there is no obvious way of backing up a step or
two. obviously this isn't a priority to MDK, which is unfortunate. i
wouldn't
recommend installing MDK on a box that can't handle the GUI install mode.
but
that's ok: i used the GUI install and the system is a paltry P90 w/32MB of
RAM and an S3 video card w/1MB of VRAM. not a hotrod, but perfect for a
firewall / fileserver. the GUI install worked beautifully w/out a hitch.
so i'd deffinitely recommend MDK9 to anyone looking to install and get
learning as it really eases the learning curve and shortens the time needed
to spend before having something useful...
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+Kkxh1rcusafx20MRAnmrAJ9u5i/rQ96RCo6xI0QrErHR0+2XSACgippf
7VVvF1gesGk36vpGthVcsnw=
=qmeN
-----END PGP SIGNATURE-----
