Chris Babcock
01-22-08, 05:54 PM
I'm leasing a block of 16 IP addresses in order to service a DNS
server, 2 mail servers and a number of e-commerce sites, each of which
needs its own IP address for the security certificate. I ran a small
group of servers on a single IP before to service a hobby, but the
software firewall on the Linux distro was adequate for that. With the
new setup, I need a dedicated system, but I'm a little out of my depth.
The hardware I have available is a 75 mHz Pentium I with 64 MB of
memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
a 4.3 MB SCSI hard drive. If I don't need the hard drive in the
firewall system then I'd rather pull the card out to use it for some
devices on the network. It would also improve my comfort level on the
firewall system.
I'd rather have the internal network obscured from the Internet, but
the whole point of the leased addresses is to sure that security
certificates for the websites and reverse pointers for the mail servers
work properly. Is Proxy-ARP the best solution for this? I think I
recall one firewall distro dropping Proxy-ARP support for security
reasons; What validity is there to that issue?
With 16 external addresses to route, is proxy-ARP a better solution
than SNAT? Which Linux or BSD based firewall distros provide the
necessary functionality? Are any of them significantly more transparent
in their controls than the others? I'm not looking for a plug and play
configuration, but something that lets me see what is going on and make
any changes without having some script reverse them out when I reboot 3
months from now.
One wrinkle... At least at the beginning there won't be a physical
interface for each of the inbound IP Addresses. For example, the mail
server may be on eth0, but several websites will be on virtual
interfaces in the network. Am I asking for trouble interjecting IP
Masquerading into this or is there any simpler way to implement this
(without buying more hardware right away)?
Thank you for your assistance,
Chris
server, 2 mail servers and a number of e-commerce sites, each of which
needs its own IP address for the security certificate. I ran a small
group of servers on a single IP before to service a hobby, but the
software firewall on the Linux distro was adequate for that. With the
new setup, I need a dedicated system, but I'm a little out of my depth.
The hardware I have available is a 75 mHz Pentium I with 64 MB of
memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
a 4.3 MB SCSI hard drive. If I don't need the hard drive in the
firewall system then I'd rather pull the card out to use it for some
devices on the network. It would also improve my comfort level on the
firewall system.
I'd rather have the internal network obscured from the Internet, but
the whole point of the leased addresses is to sure that security
certificates for the websites and reverse pointers for the mail servers
work properly. Is Proxy-ARP the best solution for this? I think I
recall one firewall distro dropping Proxy-ARP support for security
reasons; What validity is there to that issue?
With 16 external addresses to route, is proxy-ARP a better solution
than SNAT? Which Linux or BSD based firewall distros provide the
necessary functionality? Are any of them significantly more transparent
in their controls than the others? I'm not looking for a plug and play
configuration, but something that lets me see what is going on and make
any changes without having some script reverse them out when I reboot 3
months from now.
One wrinkle... At least at the beginning there won't be a physical
interface for each of the inbound IP Addresses. For example, the mail
server may be on eth0, but several websites will be on virtual
interfaces in the network. Am I asking for trouble interjecting IP
Masquerading into this or is there any simpler way to implement this
(without buying more hardware right away)?
Thank you for your assistance,
Chris