Re: Which Linux OS best for beginner to setup as Web / Mail server / Internet sharer and firewall?

From: Franklin M. Siler (fsiler_at_NOSPAMuiuc.edu)
Date: 08/08/04 

Date: Sat, 07 Aug 2004 23:10:58 -0500

Dave Arbok wrote:

> "Franklin M. Siler" <fsiler@NOSPAMuiuc.edu> wrote in message news:<cf3dbf$sjf$1@news.ks.uiuc.edu>...
>
>>Dave Arbok wrote:
[snip]
>>I don't want to start a flame war, but in my experience OpenBSD is best
>>for a PPP gateway/NAT type application. It's easy to set up, rock
>>solid, and the documentation is excellent. Port forward to internal
>>boxes if you must run linux for applications. Do keep in mind that
>>you're going to want a static IP for your DSL connection.
>
>
> I'm not sure exactly what you mean by "internal boxes," does that mean
> virtual machines running linux, or actual physical machines running
> linux inside the firewall? Either way, I think Occam's razor and all
> would say that learning two OS's, linux and openbsd would have to be
> more complicated than learning one. I think there are more tutorials
> and applications for Linux, and I know I don't want to learn both, so
> I think OpenBSD would make things more complicated.
>
I meant physical machines, either inside your network or in a DMZ.
Obviously you can't run OBSD and Linux on the same physical machine
without some voodoo.

>>>We are only considering no cost versions of Linux for this purpose,
>>>and we were planning on running either Fedora or White box enterprise
>>>Linux.
>>
>>How did you come to this decision? To me, those are versions of Linux
>>for windows users...they don't feel as powerful as, say, Debian.
>
> I am a Windows user. I'm not looking for power, as much as looking to
> get the job done easily and stably. We leaned towards those because
> people say they are easy to learn, have good support for security
> patches and there are likely to be RPM packages for the firewall and
> the other 3 apps I mentioned, web server, internet sharing, pop3
> server. I would be open to considering Mandrake or other distros, as
> I said in my title, I was asking which distro I should consider.
>
Have you ever used any other OSes? Pardon the expression, but you're
going to have to undergo a brain *** regardless of which distribution
you choose to run. I'd say you're better off learning how to do stuff
the way experienced users do it...you'll have more questions but you'll
also pick up a lot more, and believe it or not those sorts of diagnostic
skills are helpful for windows applications too.
    It's also one of those "least services" issues...why on earth do you
want X and a whole bunch of other stuff installed on your firewall or
web server? It's not good operating practice.

[snip]
>>I'd say if you're going to bother with Linux, learn how to use it. Take
>>advantage of the power rather than pointing and clicking your way
>>through stuff. Personally I like Debian, particularly for a small
>>server of the variety that you would use to host web/mail over a DSL
>>line. You can use KNOPPIX to install it if you don't want to deal with
>>the Debian installer, although the Sarge installer is supposed to be
>>pretty nice.
>
> I really would rather point and click through stuff, I think. This
> will basically all be done after hours in my free time, and I'd rather
> go out and play than put a lot of effort into it. If you believe that
> Debian will be easier than Fedora or Whitebox, then I'd love to be
> persuaded. Otherwise, it is not a good solution for me. I've heard
> Debian is harder. I asked for "easiest for an absolute beginner to
> set up these 4 services." Oh, actually add Antivirus scanning of
> email attachments for windows viruses as a fifth service. (I hear
> ClamAV is good).
>
I sympathize with your desire to have things work in a manner similar to
what you're used to, but I have not seen satisfactory GUI tools for a
lot of what you're talking about. For example, to me editing an Apache
config file is much faster than messing with webmin or another app that
runs in a GUI. Similarly, firewalls are almost always set up via
command line, whether it's on a headless OpenBSD machine or a Cisco router.
     As far as the "absolute easiest" way to do things...this attitude
causes all kinds of problems. For example, the "easiest way" to do
stuff on windows is to log in as an Administrator, not patch, use IE,
use outlook, and two hours later your machine is a zombie. It sounds
like you want to 1) secure your network and 2) not do any work, and
those two things are mutually exclusive. If you don't want to do it
right, for the benefit of the rest of us pay someone to do it right.
     On a side note, I don't want to preach a lot about business
practices, but why on earth would you do this on your own time unless
you own the place? If your employer is getting value out of your work,
you should be getting paid for it. If you think you're getting
education out of the experience, I'm inclined to agree but if this is
the case you should do stuff "the hacker way" and I still think you
should be getting paid for it.
>
>> I suppose you did say you had no IT employees...but even in a
>>business of 20, someone had better be familiar with basic sysadmin tasks
>>so you don't wind up paying somebody to do it at $160/hr. I know I run
>>into this problem at my Dad's office...it's not that hard to learn. I'd
>>like to know how you survived 20 ME machines with no technical staff.
>
>
> Well, only 10-12 are actually used for general purpose stuff by end
> users I guess, the others are to run specific machines.
> Basically, you run around once in a while and make sure the security
> updates and antivirus updates have been getting through. If someone
> says they don't know how to do something, you tell them to ask another
> user who knows the program better. When we changed email servers it
> was a pain, I had to go to everyone's machine and get their old mail
> painfully off of the webmail and into a local email program, and many
> users had a hard time adjusting to the switch.
>
Well, I don't think this will cause a huge amount of work..all you need
to do is stick your new firewall at the same IP as the old one. You can
use transparent proxies if you want and no one will even notice, except
that it'll be faster.

> Anyway, I still want to know if any no cost Distro will be easier than
> Fedora or White box enterprise linux for my 5 tasks: web server,
> internet sharing, mail server, antivirus scanning of the mail, and
> firewall.

Again, they're all going to be /some/ work, and I still vote that it's
worth your while to use Debian, Slackware, or other distros which are
commonly used for the purposes you have outlined.
>
> Also, I've heard some people say they like to use a tiny standalone
> machine as the firewall, using smoothwall or similar, and run their
> web and mail server on a more powerful machine inside the firewall. I
> see how that might be more secure, because the machine that is
> connected physically to the outside world, has no valuable data on it
> if compromised, but is it worth the trouble? Isn't Linux very secure
> anyway, so there is very little risk using only one machine for my 5
> tasks? If it is worth the trouble, it won't add much expense to the
> project, so I'd gladly consider it. Just convince me.

Yes, that is standard practice and the strategy I would recommend, but I
would use OpenBSD instead of Linux on it. As I've probably already
mentioned, the OpenBSD documentation is excellent and it took me under a
day to fully configure a box with PPP, NAT, and a good firewall ruleset.
  Of course, now that I now how, I can set one up in about an hour, so
once you do it you can easily put one in at home or consult to do it for
money. 

-- 
Franklin M. Siler    UIUC: Undergraduate in Electrical Engineering
Marching Illini Trumpets,  Basketball Band Staff,  ACM SigMation
http://umgawa.bands.uiuc.edu/~fsiler/