network question - is this unusual?

Bill Davidsen davidsen at tmr.com
Sat Jun 6 23:54:45 UTC 2009 

Mikkel L. Ellertson wrote:
> Gerhard Magnus wrote:
>> I recently had to deal with my ISP about a connectivity problem that
>> turned out to be on their end. (The tech referred to linux as lie-nux
>> and insisted on doing everything in XP which I fortunately had
>> dual-booted.) But in the process of working through this it was
>> necessary for me to describe the way I'd set up my LAN here and he
>> seemed incredulous. This wouldn't bother me except that I've gotten this
>> reaction before from people in the outside world but never an
>> explanation. So I'm asking: is there something weird about this
>> structure? Is there some "better" or more standard setup?
>>
>> The DSL modem Actiontec modem provided by Quest plugs into the phone
>> jack. The Actiontec is an older model with only one ethernet plug. Since
>> I have four boxes, two of which are dual booting Fedora and XP, I have
>> an ethernet cable connecting the modem to the DSL plug of a Linksys
>> router. I then have separate cables connecting the four outlets on the
>> router to each of the four boxes. (I did all this cabling at a time
>> before wireless routing was as available and cheap as it is today.)
>>
>> Each of the six operating systems (4 linux and 2 XP) has a static IP
>> address and each has a firewall. I have NFS running on the linux
>> systems. There's another firewall on the router, which is currently
>> port-forwarding only ssh and torrent data from the outside world.
>>
>> I thought I'd check this out before going further....
>>
> Unusual was my first DSL setup, many years ago. My ISP even let you
> run servers and provided DNS service if you had your own domain
> name. I had a P-75 running as a combination of firewall, web server,
> and relaying mail server. It also did NAT.
> 
> I would not consider such a setup secure now days, but the risk at
> the time was acceptable.
> 
I have mixed feeling on that, I think if you don't run a formal DMZ:

Internet----firewall1--------------------firewall2---internal_pvt_net
                          |          |
                        http       smtp
                         svr        svr

you are better with the web and mail servers on the firewall than inside it, 
where if the server gets compromised it looks like a trusted internal machine.

You can argue that either way, as well as debating if the servers are more or 
less secure in virtual machines.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-list mailing list