Setting up a router in front of my server

[david at thekramers.net (David Kramer)]

dsr at tao.merseine.nu wrote:
> On Sat, Apr 02, 2005 at 01:40:01AM -0500, David Kramer wrote:
>>I'm reading up on the whole DMZ concept, and it seems like a straight 
>>pass-through, so what does that buy you over hooking up the machine 
>>straight to the DSL modem?  It means I don't have to configure individual 
>>ports to go to my server, but it adds no protection to my server either.
> 
> The folks who have produced massmarket router/firewalls have
> taken the term "DMZ" and perverted it.
> 
> DMZ originally was part of a three-interface firewall concept.
> One interface was the outside world. one was the inside, and one
> was the DMZ. The inside networks could only communicate with the
> DMZ, the outside networks could only communicate with the DMZ,
> and the DMZ itself was only open to selected ports.

OK, that's the way I remember it from The Boston Phoenix.  That explains why 
I was confused.

>>/etc/sysconfig/SuseFirewall2 file has "FW_SERVICES_EXT_TCP="8042 993 
>>bittorrent ftp ftp-data http https imap imaps ntp pop3 pop3s rsync smtp ssh 
>>svn".  I can probably ditch rsync, and 993 is the same thing as imaps I 
>>think.  ftp and ftp-data are contiguous so they can go in one entry.  That 
>>leaves 13 entries, so I will have to get creative.  Maybe I can get rid of 
>>imap, since UW-imap requires imaps anyway. But whatever I do I have to 
> 
> 993 is imaps. You shouldn't use imap plain or pop3 plain at all.
> rsync is carried over ssh in all useful circumstances except
> public read-only repositories -- are you running one of those?
> svn ought to be running over HTTP/DAV (port 80) if you want a
> public repository,  or ssh otherwise. What are you using 8042

I was using rsync for a project a while ago, but no longer.
I'm running http://www.fitnesse.org on 8042.  I can move that to any port 
though, so maybe I'll run it on 81 and put it in the same range as http.

I can't run svn over http because that only works with apache2, and I'm 
still on 1.3.  When Suse 9.3 comes out I'll upgrade to apache2.

>>I assume I should continue to run SuseFirewall on my server even if it's 
>>protected by the router, right?  The router should block everything 
>>unwanted, and that would mean I could ease the load of the server quite a 
>>bit.  Is it false security to run two firewalls doing pretty much the same 
>>thing, or is it a waste of CPU cycles?  At least I can kill the dhcp server 
>>and disable masquerading in the firewall.
> 
> On a modern processor in a home environment, firewalling generally takes
> up an insignificant number of cycles. 

I figured as much,

>>- I'm 99% sure I'm gonna put a Hauppague PVR-350 card in my server and add 
>>MythTV to its list of duties, and I will most likely be watching the 
>>content on my laptop elsewhere, so 5X the speed is a good thing.
> 
> That's certainly  a big chunk of CPU time...

That card has hardware encoding, so it shouldn't be all that bad.  My server 
usually sits at >95% idle now, so I figure it should still run acceptably. 
I'm no longer using it as my main workstation too (I sit at my Thinkpad most 
of the time), so if performance gets a little slow in bursts it's only 
noticable through IMAPS (I am *so* moving from uw_imap to courier in suse 9.3).

I would prefer not to have two computers running 24/7 for power and heat 
reasons.  Otherwise I would definitely have set up a separate MythTV box in 
the office and throw the server into the basement (which would also solve 
all my cooling problems).  It may come to that though,


Thanks.