Setting up a router in front of my server

[blu_discuss at seremeth.com (Steve Seremeth)]

David Kramer wrote:

> If I don't put my server in the DMZ, I have to open up a bunch of 
> ports to it.  Judging by the picture in the PDF version of the manual 
> I downloaded, it looks like this unit is limited to 10 ranges.  If I 
> want to be precise in my ports left open, then this will be pretty 
> tight.  I can do it if I put some nearby ports in one range.  Right 
> now my /etc/sysconfig/SuseFirewall2 file has 
> "FW_SERVICES_EXT_TCP="8042 993 bittorrent ftp ftp-data http https imap 
> imaps ntp pop3 pop3s rsync smtp ssh svn".  I can probably ditch rsync, 
> and 993 is the same thing as imaps I think.  ftp and ftp-data are 
> contiguous so they can go in one entry.  That leaves 13 entries, so I 
> will have to get creative.  Maybe I can get rid of imap, since UW-imap 
> requires imaps anyway.  But whatever I do I have to leave ports open 
> that I won't be using.  Am I missing something, or am I simply doing 
> too much with my server ;)  I also forget how AIM/Yahoo/MSN messengers 
> are working without holes for their protocols.  Do they go over port 80?
>
Do what I do:  Port 80 and 22 (ssh).  Tunnel anything else you can over
SSH.  Now you're a lot more secure , too.

> Last one: So I guess my router will now get my static IP address, and 
> I have to tell my server that its one and only interface is a 
> 192.168.1 address, right?  Which is cool, because then I can remove 
> one more card from that system and use just the ethernet jack on the 
> motherboard.

Yes.  One private IP unless you are going to continue routing your
intranet traffic through the other card on yet _another_ private
subnet.  While this would add a little security, it seems like an awful
waste.

Steve