Setting up a router in front of my server

[dsr at tao.merseine.nu (dsr at tao.merseine.nu)]

On Sat, Apr 02, 2005 at 01:40:01AM -0500, David Kramer wrote:
> I'm reading up on the whole DMZ concept, and it seems like a straight 
> pass-through, so what does that buy you over hooking up the machine 
> straight to the DSL modem?  It means I don't have to configure individual 
> ports to go to my server, but it adds no protection to my server either.

The folks who have produced massmarket router/firewalls have
taken the term "DMZ" and perverted it.

DMZ originally was part of a three-interface firewall concept.
One interface was the outside world. one was the inside, and one
was the DMZ. The inside networks could only communicate with the
DMZ, the outside networks could only communicate with the DMZ,
and the DMZ itself was only open to selected ports.

> /etc/sysconfig/SuseFirewall2 file has "FW_SERVICES_EXT_TCP="8042 993 
> bittorrent ftp ftp-data http https imap imaps ntp pop3 pop3s rsync smtp ssh 
> svn".  I can probably ditch rsync, and 993 is the same thing as imaps I 
> think.  ftp and ftp-data are contiguous so they can go in one entry.  That 
> leaves 13 entries, so I will have to get creative.  Maybe I can get rid of 
> imap, since UW-imap requires imaps anyway. But whatever I do I have to 

993 is imaps. You shouldn't use imap plain or pop3 plain at all.
rsync is carried over ssh in all useful circumstances except
public read-only repositories -- are you running one of those?
svn ought to be running over HTTP/DAV (port 80) if you want a
public repository,  or ssh otherwise. What are you using 8042
for?

> I assume I should continue to run SuseFirewall on my server even if it's 
> protected by the router, right?  The router should block everything 
> unwanted, and that would mean I could ease the load of the server quite a 
> bit.  Is it false security to run two firewalls doing pretty much the same 
> thing, or is it a waste of CPU cycles?  At least I can kill the dhcp server 
> and disable masquerading in the firewall.

On a modern processor in a home environment, firewalling generally takes
up an insignificant number of cycles. 

> Last one: So I guess my router will now get my static IP address, and I 
> have to tell my server that its one and only interface is a 192.168.1 
> address, right?  Which is cool, because then I can remove one more card 
> from that system and use just the ethernet jack on the motherboard.

Yes.

> - I'm 99% sure I'm gonna put a Hauppague PVR-350 card in my server and add 
> MythTV to its list of duties, and I will most likely be watching the 
> content on my laptop elsewhere, so 5X the speed is a good thing.

That's certainly  a big chunk of CPU time...

-dsr-

-- 
Nothing to sig here, move along.