So, is it safe to say then that ICS is suitable for most home network situations? But not suitable for server hosting on a home network?
Either way Darcy, you've just justified the time/pain I spent getting IPTABLES configured... THANKS!!!!!!! (though I still have to lock it down better, and do some logging - but it's working, that's what counts right now) Shawn -----Original Message----- From: Darcy Brodie, CJL [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 19, 2003 6:10 PM To: [EMAIL PROTECTED] Subject: Re: (clug-talk) Personal experiene: Mandrake 9 on servers via IPTABLES Shawn Grover wrote: >But, did you do this through ICS, or via IPTABLES? > >-----Original Message----- >From: Darcy Brodie, CJL [mailto:[EMAIL PROTECTED]] >Sent: Sunday, January 19, 2003 6:05 PM >To: [EMAIL PROTECTED] >Subject: Re: (clug-talk) Personal experiene: Mandrake 9 on servers > > >Hello all > I will comment on this with lots of personal experience (6 MDK boxes >as firewall / servers in Calgary). Portforwarding is actually very easy >in versions 8.0 on. I have managed to forward connections from just 1 >remote IP address to an internal IP all the way to the entire internet >having access to a FTP server behind the firewall. > >Darcy > >Shawn Grover wrote: > > > >>Did you happen to notice if the ICS will allow port forwarding from the >>external network to a server on the internal net? >> >>In my efforts to build a Linux firewall for my home network, I tried a few >>of the floppy router packages (specifically Coyote and Freesco). These >>packages were easy to setup and get going - if I only wanted to share my >>internet connection with all the pc's on my internal network. However, I'm >>trying to also host a web/ftp/mail server, so need to allow external >>requests of an internal server. Unfortunately, the ease of use broke down >>for these floppy packages once I tried to do port forwarding. >> >>End result is that I'm now running RH8 with a minimal server install (no X >>or other such stuff) - the only exra packages I specifically wanted was >> >> >Bind > > >>and VIM. After some pains trying to learn iptables (I still have a long >>ways to go...), I have the router I'm after. Just need to fix up my DNS >>issues now (I'll probably post more on this in the near future - I'm sure >>I'll need help). >> >>So, seeing your post Aaron, I'm curious if port forwarding is an option for >>ICS? >> >>Thanks for any info. >> >>Shawn >> >>-----Original Message----- >>From: Aaron J. Seigo [mailto:[EMAIL PROTECTED]] >>Sent: Saturday, January 18, 2003 11:58 PM >>To: [EMAIL PROTECTED] >>Subject: (clug-talk) Personal experiene: Mandrake 9 on servers >> >> >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>Hi... >> >>in the last couple weeks some people have asked about sharing internet >>connections and setting up appropriate security measures on linux machines. >> >> > > > >>well, last night i decided to try out Mandrake 9 as a server. i've never >>used >>it for a server before, just desktop stuff, so i was interested in how it >>would do. >> >>and it did wonderfully IMHO, and i would recommend it way above Red Hat for >> >> > > > >>new users looking to set up a server. why? well, connection sharing and >>security are two good examples: >> >>ICS: to set up internet connection sharing you go to the Mandrake Control >>Center, click on Network and then click on Internet Connection Sharing. >> >> >this > > >>lets you launch a wizard that sets it up for you in 3 easy steps, 2 of >> >> >which > > >>are informative messages letting you know what it is about to do. couldn't >>be >>simpler and it worked instantly. now, you can do this by hand of course, >> >> >but > > >>this is often more than a new user is ready to learn and more than a busy >>person such as myself really cares to deal with. >> >>Security settings: Sean Dockery commented how many UNIXes do things such as >> >> > > > >>put su in the wheel group, allowing you to easily control such things, and >>noted that he hadn't noticed such settings. I replied that since such >> >> >things > > >>are really only appropriate for production servers with sensitive data on >>them (for everyone else it's just a nuisance ;), most linux distros don't >>ship with those defaults. Enter MDK9.... I hadn't played much w/Mandrake's >>security level settings previously, but I decided this time to muck around >> >> >a > > >>bit. By setting the security level to "high", I could control on a >>user-by-user basis who had access to rpm, su, /etc, service control and >>more... you can even add your own rules. there is a nice GUI to manage all >>this in the control center, but behind the scenes it works in a way that >>will >>be most familiar to most UNIX admins: namely, su is owned by the wheel >>group, >>and similar privsos are put on other resources. >> >>so while MDK doesn't allow you to do anything you couldn't do on other >>distros >>such as RH, it does make it painfully easy and quick. >> >>and the install is quite small, too. w/out any desktop stuff (though i did >>keep X on there so i can futz around with the control center tools some >>more) >>it used 450MB of disk. with a bit of urpme'ing i got that down easily to >>380MB. still not the slimmest of the slim, but not bad for a user friendly >>distro. i'm sure if i ditched the X stuff it would've fallen close to, if >>not >>under, 300MB. >> >>the urpm[ieq] tools deffinitely made managing the software a breeze >> >> >compared > > >>to doing it with plain ol' rpm (much like doing things on debian w/out apt >>is >>a bother) >> >>caveats to MDK9: >> >>o since their tools are written in perl and therefore a bit slow and prone >>to >>the general shodiness of script language tools, it seems there are some >> >> >race > > >>conditions. you don't want to be multitasking admin jobs while using their >>tools, otherwise you may end up hanging apps (e.g. i managed to stall the >>ICS >>control panel this way and had to xkill it) >> >>o rpmdrake doesn't show ALL the packages installed in the "remove >> >> >software" > > >>control panel. this was annoying since they install a bunch of useless >> >> >stuff > > >>like GNOME libs when i had not asked for them. i didn't want anything more >>than X + icewm + the MDK utils. things like ORBit didn't show up in the >>Remove Software panel, but did show up using rpm from the command line. i'm >> >> > > > >>sure there's a way to tweak this (i just haven't looked into it yet), but >>it's a bit annoying that this is the default mode. bah. >> >>o the text mode install is broken beyond belief. many of the steps get >>missed >>over, parts of screens (explanatory text and options) are missing, it's >>confusingly laid out, and there is no obvious way of backing up a step or >>two. obviously this isn't a priority to MDK, which is unfortunate. i >>wouldn't >>recommend installing MDK on a box that can't handle the GUI install mode. >>but >>that's ok: i used the GUI install and the system is a paltry P90 w/32MB of >>RAM and an S3 video card w/1MB of VRAM. not a hotrod, but perfect for a >>firewall / fileserver. the GUI install worked beautifully w/out a hitch. >> >>so i'd deffinitely recommend MDK9 to anyone looking to install and get >>learning as it really eases the learning curve and shortens the time needed >> >> > > > >>to spend before having something useful... >> >>- -- >>Aaron J. Seigo >>GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 >> >>"Everything should be made as simple as possible, but not simpler" >> - Albert Einstein >>-----BEGIN PGP SIGNATURE----- >>Version: GnuPG v1.0.7 (GNU/Linux) >> >>iD8DBQE+Kkxh1rcusafx20MRAnmrAJ9u5i/rQ96RCo6xI0QrErHR0+2XSACgippf >>7VVvF1gesGk36vpGthVcsnw= >>=qmeN >>-----END PGP SIGNATURE----- >> >> >> >> >> > > > > >
