Setting up a router in front of my server

Mark J. Dulcey mark at buttery.org
Sat Apr 2 04:49:48 EST 2005


David Kramer wrote:

> For years, I've had One Server To Rule Them All, with two network cards 
> (one DSL-modem-facing, one intranet-facing leading to a hub), 
> functioning as both firewall/NAT/server of many protocols.  I have an 
> old WAP plugged into the hub that I use for my laptop and Zaurus, etc.

The concept of One Server may be the first place to start your 
rethinking. I'd be inclined to divide things up into two parts: the 
services that you want to have available over the entire internet, and 
the services that are just for use in your house. Anything in the second 
category should run on a box BEHIND the firewall and NAT.

That would let you shorten the list of available services on the public 
server a bit. For instance, you probably wouldn't run NTP for the world. 
The non-secure IMAP and POP3 can also go. And you probably want 
BitTorrent to go to one of your user machines, not to the public server.

> I'm reading up on the whole DMZ concept, and it seems like a straight 
> pass-through, so what does that buy you over hooking up the machine 
> straight to the DSL modem?  It means I don't have to configure 
> individual ports to go to my server, but it adds no protection to my 
> server either.

That's right -- on the typical router, the DMZ is just a straight 
pass-through with no security at all.

> I assume I should continue to run SuseFirewall on my server even if it's 
> protected by the router, right?  The router should block everything 
> unwanted, and that would mean I could ease the load of the server quite 
> a bit.  Is it false security to run two firewalls doing pretty much the 
> same thing, or is it a waste of CPU cycles?

Might as well keep both firewalls; it helps if you have made a mistake 
in the configuration of the Linksys. It wastes some CPU cycles, but 
you're not likely to have a shortage of them on a home server.

> Last one: So I guess my router will now get my static IP address, and I 
> have to tell my server that its one and only interface is a 192.168.1 
> address, right?  Which is cool, because then I can remove one more card 
> from that system and use just the ethernet jack on the motherboard.

Yes, exactly right. Remember to use a fixed address (in the 192.168 
range) for it!

> - I'm 99% sure I'm gonna put a Hauppague PVR-350 card in my server and 
> add MythTV to its list of duties, and I will most likely be watching the 
> content on my laptop elsewhere, so 5X the speed is a good thing.

I'd definitely do this on a separate box! MythTV will be a disk space 
and CPU hog.



More information about the Discuss mailing list