[Scottish] Need advice on setting up a Mandrake/Debian home network

David Marsh's list-reading hat scottish at mailman.lug.org.uk
Mon Mar 10 16:06:08 2003

[Traditional interleaved quoting: please read to end for all comments]

Hi Colin,

On Mon, 10 Mar 2003 14:20:04 +0000
Colin McKinnon <colin@wew.co.uk> wrote:

> There are two ways to allow internet access from 'salt':
>     - either by using pepper as a (masquerading) router
>     -  running proxy services on pepper (mail, web, news, DNS, ...)

Yep, with you up to here :-)

> Even if you go down the first route, that doesn't exclude us of the 
> second method to improve performance via caching. OTOH you only need
> to learn one configuration mathod for the first way of doing things!

That should make it easier, but it seems to be here that I'm falling

> Here's a quick list of the applications I've used for proxy services:
>     Sendmail for outgoing Email (most MTAs should work in this
>     respect) imapd for serving mail from the internet connected box

I'm not worrying about mail relaying at present.

>     squid for web

I'm using wwwoffle, as I found squid difficult to understand when I
tried it before..

>     DNSCache (I used to use Bind but it's heavy, difficult to look
>     after and had a lot of vulnerabilities found)

Do I need to run a DNS server of some kind on my local network, or am I
ok just giving my ISP's server? (Obviously, "in theory", that's one more
thing I would have to remember to change if I changed ISP..)

Is DNSCache easy to set up?

>     Leafnode for news

Already use that on pepper, but not fussed about making mail available
to salt.

> I'd tell you more about the first method if I talk sensibly about it;
> I don't know enough about the implementation to say what you should do

Ah.. That's where I'm stuck, too.. :-(

> that won't undermine any security settings already in place. 

umm, security through obscurity (as not always-on) and not running
servers I don't need, but that's it so far, really.. :-(

> Like Ben 
> said; try to lock down your access controls. Think about a host based 
> IDS (does debian's package mgr provide this?) for the internet
> connected box too.

What's IDS?

> Thought about how you're going to control the connection from salt? 
> Diald is cool but not always appropriate. If you search for diald on 
> freshmeat, it turns up most of the remote control packages.

I was assuming that salt would be happy knowing that it could 'always'
find the internet through pepper?

I won't be running anything that "expects" an internet connection when I
don't already happen to be online anyway.

The main thing that will need access to the net will be the Mandrake
Update service, and I'll just run that manually when pepper happens to
be online (unless I can get it to work through wwwoffle?).

> >On the Mandrake box (salt) what values should I put in for "DNS
> >server" and "Gateway" in the wizard?
> >
> If you're using a proxy, pepper, otherwise you'll need to setup the 
> masquerading and tell it to use the same server as pepper. 

Right, sounds like everything comes back to finding out how masquerading
works.. :-(

I've got webmin installed, if that helps, but I really don't know how
masquerading works.

> >How should I let salt know about the other machine (pepper)?
> >Do I have to edit /etc/hosts by hand, or is there a better way to do
> >it?
> >
> it's easiest just to edit /etc/hosts by hand - but set it up the same
> on both machines.

OK, done that, and they can both see each other: it's just that salt
can't see anything beyond pepper (ie, the internet..). This is just so

> Think about having a common home directory if you're going to be
> logging on to both machines (so you can access all your files /
> config).

What would be the best way of doing that? NFS?

What I'm really planning on doing is using salt as a backup for pepper
and simply backing up all of my critical files there periodically.

So I don't think that a shared /home would help me in this situation.

Thanks for your advice, looks like I've got to get masquerading sorted
somehow. I just want A to talk to B and then see C through Z, that's
all! ;-)


David Marsh, Glasgow, Scotland, N Europe. | http://web.viewport.co.uk/
<email valid @time of writing>, but reply to list preferred, thanks.