network question - is this unusual?
Bill Davidsen
davidsen at tmr.com
Sat Jun 6 23:54:45 UTC 2009
Mikkel L. Ellertson wrote:
> Gerhard Magnus wrote:
>> I recently had to deal with my ISP about a connectivity problem that
>> turned out to be on their end. (The tech referred to linux as lie-nux
>> and insisted on doing everything in XP which I fortunately had
>> dual-booted.) But in the process of working through this it was
>> necessary for me to describe the way I'd set up my LAN here and he
>> seemed incredulous. This wouldn't bother me except that I've gotten this
>> reaction before from people in the outside world but never an
>> explanation. So I'm asking: is there something weird about this
>> structure? Is there some "better" or more standard setup?
>>
>> The DSL modem Actiontec modem provided by Quest plugs into the phone
>> jack. The Actiontec is an older model with only one ethernet plug. Since
>> I have four boxes, two of which are dual booting Fedora and XP, I have
>> an ethernet cable connecting the modem to the DSL plug of a Linksys
>> router. I then have separate cables connecting the four outlets on the
>> router to each of the four boxes. (I did all this cabling at a time
>> before wireless routing was as available and cheap as it is today.)
>>
>> Each of the six operating systems (4 linux and 2 XP) has a static IP
>> address and each has a firewall. I have NFS running on the linux
>> systems. There's another firewall on the router, which is currently
>> port-forwarding only ssh and torrent data from the outside world.
>>
>> I thought I'd check this out before going further....
>>
> Unusual was my first DSL setup, many years ago. My ISP even let you
> run servers and provided DNS service if you had your own domain
> name. I had a P-75 running as a combination of firewall, web server,
> and relaying mail server. It also did NAT.
>
> I would not consider such a setup secure now days, but the risk at
> the time was acceptable.
>
I have mixed feeling on that, I think if you don't run a formal DMZ:
Internet----firewall1--------------------firewall2---internal_pvt_net
| |
http smtp
svr svr
you are better with the web and mail servers on the firewall than inside it,
where if the server gets compromised it looks like a trusted internal machine.
You can argue that either way, as well as debating if the servers are more or
less secure in virtual machines.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list