From owner-freebsd-isp@FreeBSD.ORG Tue Jan 3 20:00:11 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD27916A41F for ; Tue, 3 Jan 2006 20:00:11 +0000 (GMT) (envelope-from alex@rnp.br) Received: from bellana.nc-rj.rnp.br (bellana.nc-rj.rnp.br [200.143.193.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 470C943D67 for ; Tue, 3 Jan 2006 20:00:09 +0000 (GMT) (envelope-from alex@rnp.br) Received: (qmail 59503 invoked by uid 0); 3 Jan 2006 20:00:07 -0000 Received: from kira.nc-rj.rnp.br (200.143.193.70) by 0 with SMTP; 3 Jan 2006 20:00:07 -0000 Received: (qmail 79879 invoked by uid 0); 3 Jan 2006 20:00:07 -0000 Received: from ceo.nc-rj.rnp.br (HELO ?127.0.0.1?) (200.143.193.20) by 0 with SMTP; 3 Jan 2006 20:00:07 -0000 Message-ID: <43BAD7C6.4040909@rnp.br> Date: Tue, 03 Jan 2006 18:00:06 -0200 From: Alex Soares de Moura Organization: RNP User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <1621.217.114.136.133.1136295524.squirrel@llca513-a.servidoresdns.net> In-Reply-To: <1621.217.114.136.133.1136295524.squirrel@llca513-a.servidoresdns.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: DSA - JCR Subject: Re: newby isp questions X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 20:00:12 -0000 Hello Juan, DSA - JCR wrote: >I would like to know if the configuration in which i am thinking is right >or not. > >I have and ADSL modem (1Mb by now) connecting to an ISP. > >This is what I am thinking to do: > >- I must have a fix IP from my ISP. > > That's ok for a (very) small start, but soon you'll realize that ISPs need an IP address block assigned to them, from a higher level ISP or organization. >- The ADSL modem will connect to a Firewall box (FreeBSD or m0n0Wall?). I >am thinking in an old PC I have. Can this be made without Hard disk, only >with CD?. > > My bet is that a m0n0wall box is faster, easier to deploy and manage. Yes, can be done from a CD, which is good for security, but bad for performance. For better performance, a HDD installation would be nice. For more features, you probably will like to take a look at the pfSense project: www.pfsense.com. >- This Firewall connect to a PC with FreeBSD 6.0 and web capabilities >(Apache, mail...). >- In order to protect my network, I would use NAT, in the Firewall, and >connect my PC to it as a gateway. > > Looking from the security side, Internet services aggregation is better done in separate environments (hosts, virtual machines, jails etc.), so one of them don't pose a unnecessary threat to each other in your ISP environment. Take a look at the references below. >Questions: >- Must I separate the Firewall/Nat from the Webserver box or can be the same? > > Again, it's a security issue. What if the webserver is compromised? Your firewall would be at risk... Another issue very discussed for a long time is that NAT is not considered a proper security feature tehcnology by network experts, and also that it breaks the end-to-end concept and cause a lot of trouble to some applications to function properly. "Security through obscurity is no security at all". See references below. >- My ADSL modem uses USB to conect to PC, can I use it or is better a hub >adsl type? > > That's my personal opinion: try to avoid core network devices that attach via USB in your ISP infrastructure. Mostly because of driver compatibility and performance. There is more support for NICs in every operating system today than support for USB devices, that have better support in the Windows OS. Maybe this will change in the future, but that's my opinion. This may not be an issue for you, if all your hardware is well supported by the FreeBSD. >- In the Webserver box, if I want to have diferent web domains,must I put >each one in a jail? and what about the IP of each domain, only one NIC?. > > Yes, you can have many IP addresses in one NIC and create jails to host different domains. Although, you'll spend more hardware resources (CPU, RAM) to run various Apache instances in each jail. The Virtual Hosts feature of the Apache server can be enough for your scenario. See below. >Where can I learn about this? books?... > > Yes, there are a lot of good resources of information on the Internet and in books. See the recommended reading list: [1] Network Startup Resource Center http://www.nsrc.org [2] NANOG ISP Resources http://www.nanog.org/isp.html [3] NANOG Mailing List FAQ http://www.nanog.org/listfaq.html [4] Building Internet Firewalls http://www.oreilly.com/catalog/fire2/index.html http://www.greatcircle.com/firewalls-book/ [5] Practical Unix and Internet Security http://www.oreilly.com/catalog/puis3/ [6] FreeBSD Planning, Installation and Security Tips http://www.nsrc.org/freebsd-tips.html [7] NAT http://en.wikipedia.org/wiki/NAT [9] NAT http://www.networkworld.com/details/645.html [10] Security Considerations of NAT http://safecomputing.umich.edu/tools/download/nat_security.pdf [11] TCP/IP Resources List http://www.faqs.org/faqs/internet/tcp-ip/resource-list/ [12] Simplify Your Life with Apache Virtual Hosts http://www.onlamp.com/lpt/a/4021 [13] Installing FreeBSD 6 for Internet Server http://freebie.miraclenet.co.th/server/install_fbsd/ Best regards, Alex