[afnog] RE: how is the switch
Brian Candler
B.Candler at pobox.com
Wed Jun 1 11:45:55 EAT 2005
> > I do not have a Unix system unless if Linux RedHat 7.3 will do.
I think it will probably have a tftp server, but that's a really old
distribution, and it's a long time since I've used Linux anyway. Have a look
in /etc/inetd.conf to see if there's a tftpd entry.
(Personally I include Linux in the "Unix" family tree, even though it's a
completely separate development; it is written to provide a Unix-compatible
interface)
> > Can I also take this opportunity to ask how best I can use the following
> > hardware?
> >
> > My current network is running on 2 Windows 2003 servers, 1 Windows 2000
> > server, I would like to change to Unix for the following services, email
> > server, proxy server, Asterix server, ftp server, web server. I only
> > have 1 IP public all my workstations are on private IP addresses.
> >
> > My hardware has the following specifications;
> >
> > 2 Intel Serverboard SE7210TP1
> >
> > Dual Serial ATA drives (Raid 0;1), 2 * 80GB
> > IDE drives, 3 * 80GB each
> > Total disk storage = 400GB
> > IDE DVD-RW drive
> > 512MB RAM
I would suggest that the more preparation and planning you do up-front, the
better. This is especially true if you want to try to arrange a seamless
migration.
Some of your options are:
(1) What version of Unix do you want to run? If it's Linux, you're going to
have to choose a distribution you're comfortable with. Unfortunately, Red Hat
is no longer available in a free version. You might want to look at White Box
Linux - http://www.whiteboxlinux.org/ - which is a free clone of Red Hat
Enterprise Linux. Or you could choose another distribution - Debian and
Gentoo are perhaps the best-known "free" choices, given that Mandrake and
SuSE could follow the Red Hat lead and go commercial at any stage in the
future. However, neither Debian nor Gentoo uses RPM for packaging, so you'll
have to learn the different admin tools.
Personally, I dropped Linux years ago and went with FreeBSD. I find it more
stable, and simple to configure (once you've found your way around) - just a
single /etc/rc.conf file. The main downside is that binary upgrades (e.g. from
5.3-RELEASE to 5.4-RELEASE) are still in the dark ages.
You're the one who's going to have to manage the platform, so you need to get
yourself familiar with whatever you're going to use. I strongly recommend you
build yourself a test box using whatever old hardware you have lying around -
or convert your own desktop machine to use your preferred platform. The
desktop I'm writing this on runs FreeBSD 5.4 with KDE.
(2) What applications are you going to use? How are you going to configure
them? The AfNOG workshop notes may help here. http://www.ws.afnog.org/
My choices include exim, courier-imap, sqwebmail, squid (if you want a caching
proxy). Again, you need to be comfortable that you can install and run all
these applications, and your test box will be invaluable here.
You'll need to decide whether to install pre-built packages, or compile
yourself from source, or (in the case of FreeBSD) use the ports system.
Once you have them working in the way you want, you can then roll out the same
configs onto your live boxes.
(3) Your single IP address gives you some choices with routing.
a. You can lump everything together onto a single Unix box with two ethernet
cards (assuming your upstream link is ethernet): it can act as proxy, IP
router with NAT, mail server, and so on. It does become a single point of
failure, but the physical network is simple and it minimises hardware. If you
have a small internal network with a handful of machines, it may be
appropriate.
You don't even have to enable NAT and IP routing, if you want to force all
your clients to use the proxy to access the Internet.
b. You can have a separate firewall box (either dedicated hardware or a PC)
which performs NAT for your private network. Then you can use port mapping
for inbound connections; for example connections to x.x.x.x port 25 are
mapped to 192.168.0.1 port 25 (your mail server).
This has the advantage that you can map different services to different
internal servers, should you wish. If you already have a hardware router
which can act as a firewall and DHCP server, it's likely to be very reliable,
and means that your network will continue to function even if all your
servers are taken off line.
You can buy low-cost "cable modem" routers which are probably sufficient for
your needs; they assume one upstream IP address anyway. You can get them with
built-in wireless access points for hardly any extra money. Geert Jan has one
he brings to Afnog (by Linksys I think?)
It also depends on what your upstream connection is. At home my upstream
connection is DSL rather than Ethernet; I have a Speedtouch 716g router,
which has DSL upstream, ethernet switch for the local network, wireless
access point, and two phone sockets for voice-over-IP with SIP, which can
talk directly to an Asterisk server. It only cost £100.
http://www.speedtouch.co.uk/
c. Going down the firewall route, you can go for a more complex network with a
DMZ: e.g.
ext
|
firewall ---------- dmz
| 192.168.1.0/24
int
192.168.0.0/24
You put your external-facing servers in the DMZ, and configure the firewall to
allow inbound connections from the outside world to the DMZ, but not from the
DMZ to the internal network. That means that even if someone breaks into one
of your external-facing servers, they can't use it to break in further to
your internal network. (That may not be a concern if your internal network is
simple or doesn't have any other servers though)
Your firewall here has to be more complex, with three ethernet interfaces.
(4) You have 3 Windows servers right now, so do you need to keep one of them
for Windows? For example is it acting as domain controller or fileserver?
It's possible to implement some of these functions under Unix (e.g. using
Samba) but it's not trivial to set up, so you might want to keep a Windows
server on the private network for these functions.
Hope this gives you some things to think about.
Regards,
Brian.
More information about the afnog
mailing list