# Advanced home network setup question [solved]

## rounded_circle

Hallo!

In my short experience with Linux Gentoo, I managed to install Gentoo on 3 computers in my house, connect them to a router and have a small network. My next step, over time, is to harden that network and incorporate the following services into it: 

1)Web server with database 

(Will host a couple of web sites that hopefully will be expanding their needs in bandwidth and resources over time.)

2)Mail server

3)NAT / Firewall (Shorewall?)

4)Proxy server

5)dhcp / dns (dnsmasq)

6)Rsync server

7)NFS / SSH

8)Time server

9)Applications for network monitoring and logging

10)Bandwidth management for certain nodes on the network

I intend to build a Gentoo router bearing in mind the flexibility it can provide in terms of Bandwidth Management or management of a second line from my ISP. However I lack the big picture of the issue... I have no idea what it is to maintain a web server or even a web-site. Therefore I am asking for help to get the basic idea. 

My questions are the following:

1)I have read in certain fora and web sites (such as http://www.linux-sec.net/) that it is preferable for security reasons to have physically separated the router/firewall from the other services (DNS for example). However, in the Home Router Guide Howto this is not clearly suggested. Since I am a completely noob who currently is -kind of- budgeting this project... I would like to delineate what a proper hardware configuration would be. (How many machines would cater for these needs, which services each machine should cater for and what a preferable configuration level would be, bearing in mind a satisfactory level of security and a regular resource handling?

2)In a recent gentoo forum, was suggested that shorewall is a very good and reliable interface for iptables handling. Except for some basic issues, I have no acquaintance with iptables nor shorewall. I understand that an interface saves time and effort but on the other hand handling such issues directly gives an in depth overview of the whole system. According to my goal and based on your experience, would Shorewall be a reliable solution or I should spend more time in configuring iptables manually? 

Regards,

rounded_circle

----------

## frostschutz

 *rounded_circle wrote:*   

> 1)I have read in certain fora and web sites (such as http://www.linux-sec.net/) that it is preferable for security reasons to have physically separated the router/firewall from the other services (DNS for example).

 

That's right, and if the site is worth anything, they will list these security reasons in detail, so you can decide wether you want to give in to Paranoia or not.

 *rounded_circle wrote:*   

> According to my goal and based on your experience, would Shorewall be a reliable solution or I should spend more time in configuring iptables manually?

 

Err. Well, from the Shorewall author's POV (dunno if it was a single author though), he did things manually, and others use his work to not do things manually. So this one is tough to answer.

In either case, I suggest you look at what others have been doing (that means looking at Shorewall as well). Firewalling and Bandwidth Management are two very complex fields of research, and it's hard to set up manually without in-depth knowledge. And there are many things that can go wrong... if you ever locked yourself out, you know what I mean.  :Embarassed: 

----------

## NeddySeagoon

rounded_circle,

Look and see what others have done - IPCop, Smoothwall Express and some other security distros. These all take over the host PC to turn it into a network appliance, so play with other security setups before you do your own.

I would reccomend against Gentoo as the basis for a security platform, since if you do get hacked, you don't want to give your uninvited guest a tool chain. The free version of Smoothwall does not meet your requirements - it does not provide traffic shaping. I'm suggesting that its worthy of evaluation so you can see how its been done before.

----------

## rounded_circle

NeddySeagoon, frostschutz,

Thank you for your help. That is the "picture" I missed: Gentoo is a tool, not a solution. It is able to provide the solution that each one can create with the tools provided. The result of my-self-evaluation is that I am way too far from creating such a complex solution. 

Therefore, my next step would be an "advanced home network setup research"! IPcop is a suggestion I have seen in the Gentoo fora during my preliminary research on this subject.  Smoothwall express has just initialized my inquiring daemon:31736. 

The fact is that I can clearly describe -even draw!- my next step now. Definitely I would not like to provide a tool chain to any malicious user of the *net. I will do my best, and I will keep this post updated. 

Regards,

rounded_circle

----------

## rounded_circle

This is the basic picture of the configuration I have in my mind:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxStatic IP/ISP2xxxxxDynamic IP/ISP1

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------------------xxfxx--------------------

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxffxxxxxxxx|xxxxf|

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfxxxxxx-----xf-----	

xxxxxfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|fMf|x|fMf|

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfxxxxxxxx-----xf-----	

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|xxfxx|

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-------------------

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|xfffxfxffxxxxxx|				

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|fROUTER/NATf|

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|xfffxfxffxxxxxx|

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-------------------	

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDMZ/xxxx|xxxxx|						

ffxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxPublic Networkx|xxxxx|xPrivate Network     								  	            

fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx---------------------xxxfxx----------------------	

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfxxxx|xxxxxxxxxxxxxxxxxxxxx|

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf---------------------xxxxfff----------------------

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf|xxxSWITCHxfxx|xxfffxx|xxxSWITCHxxfx|	

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf---------------------xxxxfff----------------------							

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|xxxxx|xxxxxxxxxxx|xxxxxxx|xxxxxx|	

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------fx------xxxxffxx------xffx-------ffx------	

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|fS1f|x|fS2f|xxxffxff|fH1f|fxx|fH2f|xff|fH3f|	

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------fx------xxxxffxx------xffx-------xff------

These are the services I intend to establish:

Router

-------

1.NAT

2.Logging traffic and network monitoring

3.DHCP/DNS

4.Bandwidth management

5.Internally remote controlled

Server(s)

----------

1.Web server

2.Mail server

3.Proxy server

4.SSH server (external)

5.Rsync server

6.Time server

7.Database

8.File Server

9. ....

I would like to summarize my research findings in order to provide an opportunity for the creation of a pool of possible solutions which may serve as a guide/pool of ideas for those who have only a basic background of *nix or even *  IT, like myself. 

The documentation I have found that might concern the main configuration issues of the public domain of the network is the following:

Home server 

---------------

1.https://forums.gentoo.org/viewtopic.php?t=59134

2.http://gentoo-wiki.com/HOWTO_setup_a_home-server

3.http://www.gentoo.org/proj/en/base/embedded/gnap.xml

Web server

-------------

1.http://gentoo-wiki.com/HOWTO_Index#Apache_Related

2.http://www.genco.gen.tc/gentoo_chroot_apache2.html

Mail server

------------

1.https://forums.gentoo.org/viewtopic-t-56633.html

2.http://www.gentoo.org/doc/en/virt-mail-howto.xml

3.http://en.tldp.org/HOWTO/Mail-User-HOWTO/

SSH

-----

1.http://www.gentoo.org/proj/en/infrastructure/cvs-sshkeys.xml

2.http://www.gentoo.org/proj/en/keychain/index.xml

3.http://www.securityfocus.org/infocus/1816

4.http://www.securityfocus.org/infocus/1810

More security

---------------

1.http://www.gentoo.org/doc/en/security/security-handbook.xml?full=1#book_part1_chap12

2.http://www.securityfocus.org/infocus/1786

3.http://www.securityfocus.org/infocus/1706

4.http://www.securityfocus.org/infocus/1685

5.http://www.securityfocus.org/infocus/1673

6.http://www.securityfocus.org/infocus/1679

SSL

----

1.http://www.securityfocus.org/infocus/1818

2.http://www.securityfocus.org/infocus/1820

As far as the router is concerned I managed to find the following security distributions as... candidates:

1.http://www.fli4l.de/e_index.htm

2.http://www.ipcop.org/

3.http://leaf.sourceforge.net/

4.http://www.coyotelinux.com/

5.http://www.m0n0.ch/wall/

6.http://smoothwall.org/

7.http://openbsd.org/

8.http://www.trustix.net/

9.http://www.zelow.no/floppyfw/

I would appreciate some feedback especially on the security distributions. There is surely much more documentation than the one I have provided. Based on the feedback provided, I would be very glad to summarize everything after my project has been completed.

Regards,

rounded_circle

----------

## frostschutz

 *rounded_circle wrote:*   

> This is the basic picture of the configuration I have in my mind:
> 
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

You can do ascii graphics in a 

```
|code| ... |/code|
```

 environment you know...

----------

## rounded_circle

Oooofff! 

This is a prerequisite to get along well with women in my country...  

Arrrrgggg.!!!!.

I' ll "take five" now...

----------

## NeddySeagoon

rounded_circle,

I run apache, qmail, talkd, ssh and seti@home on a 450 MHz K6-2 in the orage (DMZ) net behings my smoothwall express firewall, which runs on a Cyrix 200MHz system fitted with 120Mb HDD.

You may want to look at qmail for your mail server. I don't have a lot of traffic, so I have not tried traffic shaping.

----------

## rounded_circle

Thank you NeddySeagoon, 

I will start from something simple and then proceed -as necessary- step by step. 

Your advice is always neat and accurate.

Time for action! 

Warm regards,

rounded_circle

----------

