With regards to firewalls, the DLink routers may not be suitable for the business. If it is simply providing a gateway to the Internet for your network, and maybe forwarding one or two ports, it'll probably do the job. However, if you need to handle multipe external IP addresses, or create more complex routing rules (allow ips x, y, and z access to ssh, but no one else), then the DLink routers begin to become unsuitable.
A better option (IMHO), is to put in an IPCop firewall. IPCop is a dedicated Linux system providing firewall and routing capabilities. I've yet to find a situation that IPCop cannot handle. And, you can make use of an old box for this (the computer then becomes ONLY a firewall - the install reformats the drive). As Szemir mentioned in his post, separating the firewall roles from your server roles is a good idea. (It's a good idea to also speparate each of the server roles - but that's for performance and better security. You can get by with a single server box to start out and grow as needed). It IS possible to have your server behave as the firewall by getting creative with the IPTables rules, but troubleshooting a server problem can be tougher. (Is the server app misconfigured, or are the IPTable rules simply stopping the traffic that makes the server run properly? - this can sometimes be very subtle and tough to find). I recently helped a customer move away from a DLink router due to some odd email problems they were having. The DLink was not allowing two way communication over port 25, even though it was told to forward the port. We put in IPCop, and this problem vanished, and the network performance improved greatly as well (though that is more likely due to the fact we cleaned up the network infrastructure while we were at it). For remote access, if the distro has SSH installed/started, and you configure your firewall to forward port 22 to the server, you can do SSH sessions from home, or whereever you tell the firewall to allow traffic from. This is a very very useful tool. I've been able to tweak my own servers remotely, and fix issues at client sites without having to physically go there. The downside is that you tend to do much more command line stuff. SSH can forward X sessions, or you can ignore SSH and setup a VNC server (or FreeNX) and connect with the graphical interfaces. I find this to be a little inconvenient for myself though - the screen updates can be jerky, or unreliable over a slow or busy connection.... Hope that helps. Shawn On Tuesday 20 September 2005 12:51, D Bhardwaj wrote: > Not a long reply at all. Thanks. > This is a new install, and SBS was purchased but I can convince the big > boss to put it on the shelf. :) So, there is no migration, email, etc. Its > for a startup company. > Shawn - does that change your response? > Although the time is of the essence as well - if I could do the basic > install and then continue with the config from my home (that is the reason > for remote access requirement), then I could devote a lot more time. As far > as security goes, there is a dlink router, the server box has 2 nics. Can > something be done with this setup so negating the need for a separate > firewall box? Is one distro better than another for firewall? > > I am looking to gain from in terms of experience, and deliver to customer a > good server that hopefully will require little maintenance, will not have > MS exchange, _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
