[nzlug] Server Consolidation

[Nevyn]

On Nov 13, 2007 7:08 PM, Howard <howard-nzlug at fox.co.nz> wrote:
>
> >>> I was wondering if anyone knew of a decent tutorial on running IPCop
> >>> within a virtual machine on the file server so that I can reduce my
> >>> electricity bill and the noise in my room and anything relating to the
> >>> security of doing such a thing. I've noticed in the list of packages
> >>> IPCop now has vmware-tools so I'm pretty sure it can be done securely.
>
> >> Why not having one server that will run a Xen system and set it up
> >> using NAT?  The dom0 is purely running as a firewall using IPTables
> >> (or probably IPKungFu) then your domU will be running your needed
> >> network services?
>
> on 14/11/2007 3:06 p.m. Daniel Lawson wrote:
> > Or just add an iptables firewall to your existing Ubuntu box... I use
> > xen all the time, and am very familiar with virtualisation in general,
> > however this feels a bit much like overcomplicating things :)
>
> IPCop does a lot more than just manage firewalling for one box though.
>     Dumping it for one iptables setup would depend on how many IPCop
> features Nevyn is using or cares about (he'd have to set these features
> up under Ubuntu), and whether he has another router to use for the ISP
> connection (My ADSL card is in the IPCop box).  Although one hardware
> firewall to manage 2 machines can probably be simplified...!
>
> I quite like the sound of using a Virtualised IPCop solution as I am in
> a similar boat with regard to power consumption (albeit a few more boxes
> running...).  I've been wanting to learn about Xen & Virtualisation for
> a while.
>
> cheers
>
> H

The reason everything is being kept kind of complicated is that I'm
trying to reflect a more commercial feel to everything on the basis
that this way I learn. The reason I use IPCop is that it's simple.
Everything's in the one place - firewall, routing, ntp server, dhcp
server and more importantly, it's all very easy to manage. I've been
trying to take sort of a Installfest type attitude with it - keep away
from the command line. It's a brilliant solution - 1/2 an hour and
you're up. Great out of the box solution.

I'm not using Xen because that would require a hell of a lot more work
on my Linux machine that I'm willing to give. I've got VMware server
installed and running quite nicely and it seems like IPCop supports
it.

The reason I'm looking for a tutorial is that if the router (horribly
cheap thing that seems to do the job of taking the signal from the
telephone line and convert it into something that my IPCop box can
understand) is that I'm concerned that if my fileserver is receiving
the network traffic from the router first, does that not make the
fileserver insecure in that it's connected directly to the internet
rather than receiving network traffic only via the IPCop (with all
it's rules and such) box?

I have no idea about iptables. I've just never understood it. Despite
most tutorials starting with the "it's really basic" sort of line, it
doesn't really help. I will probably attempt it again at some point
but for the time being, I don't really want to get into it. (Same
issue with DNS for me). Most people I know would just like to start
with a "block everything". And then add a few rules like "Allow
outgoing http requests" and "allow responses to requests made from
this side of the network". Yet to date I've never seen a gui tool that
allows people to do this (again, same gripe with DNS).