Setting up a router in front of my server

[david at thekramers.net (David Kramer)]

For years, I've had One Server To Rule Them All, with two network cards (one 
DSL-modem-facing, one intranet-facing leading to a hub), functioning as both 
firewall/NAT/server of many protocols.  I have an old WAP plugged into the 
hub that I use for my laptop and Zaurus, etc.

I just picked up a Linksys WRT54G wireless router with 4-port hub (still 
shrinkwrapped, so tell me if that was a bad choice sooner than later).  I 
want to use it as my firewall, but there's a couple of ways of playing this.

I'm reading up on the whole DMZ concept, and it seems like a straight 
pass-through, so what does that buy you over hooking up the machine straight 
to the DSL modem?  It means I don't have to configure individual ports to go 
to my server, but it adds no protection to my server either.

If I don't put my server in the DMZ, I have to open up a bunch of ports to 
it.  Judging by the picture in the PDF version of the manual I downloaded, 
it looks like this unit is limited to 10 ranges.  If I want to be precise in 
my ports left open, then this will be pretty tight.  I can do it if I put 
some nearby ports in one range.  Right now my /etc/sysconfig/SuseFirewall2 
file has "FW_SERVICES_EXT_TCP="8042 993 bittorrent ftp ftp-data http https 
imap imaps ntp pop3 pop3s rsync smtp ssh svn".  I can probably ditch rsync, 
and 993 is the same thing as imaps I think.  ftp and ftp-data are contiguous 
so they can go in one entry.  That leaves 13 entries, so I will have to get 
creative.  Maybe I can get rid of imap, since UW-imap requires imaps anyway. 
  But whatever I do I have to leave ports open that I won't be using.  Am I 
missing something, or am I simply doing too much with my server ;)  I also 
forget how AIM/Yahoo/MSN messengers are working without holes for their 
protocols.  Do they go over port 80?

I assume I should continue to run SuseFirewall on my server even if it's 
protected by the router, right?  The router should block everything 
unwanted, and that would mean I could ease the load of the server quite a 
bit.  Is it false security to run two firewalls doing pretty much the same 
thing, or is it a waste of CPU cycles?  At least I can kill the dhcp server 
and disable masquerading in the firewall.

Last one: So I guess my router will now get my static IP address, and I have 
to tell my server that its one and only interface is a 192.168.1 address, 
right?  Which is cool, because then I can remove one more card from that 
system and use just the ethernet jack on the motherboard.

Thanks.


PS: I'm doing this for several reasons:
- My WAP's antenna is a little broken
- My WAP is B only, and I paid good money for G in my Thinkpad
- All my devices are connected with a crappy hub now, so everything is 
forced to 10Mbs.  Now I'll have a 10/100 switch for local traffic.
- I'm 99% sure I'm gonna put a Hauppague PVR-350 card in my server and add 
MythTV to its list of duties, and I will most likely be watching the content 
on my laptop elsewhere, so 5X the speed is a good thing.
- I had a $100 gift certificate to Best Buy and this was on sale.