I don't want to keep on this, especially after you've already said
you're making progress, but I want to be sure you understand why I
consider what you've written confusing. Feel free to ignore this ...

Rich Grise wrote:

> Now, I want to make the "NEW box" act like it's a server, in other
> words, route 10.0.0.183 to 10.1.0.x;


I asked:

>> A "server of what, exactly?"


and Rich replied:

> Samba.

leaving completely puzzled: what's the connection between "act like a
Samba server" and "in other words, route 10.0.0.183 to 10.1.0.x;"?

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Rich Grise wrote:

> ... this could take some planning, I fear.

Welcome to system administration ... :-)

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

On Sat, 04 Nov 2006 05:45:39 +0000, Sylvain Robitaille wrote:

> I don't want to keep on this, especially after you've already said
> you're making progress, but I want to be sure you understand why I
> consider what you've written confusing. Feel free to ignore this ...
>
> Rich Grise wrote:
>
>> Now, I want to make the "NEW box" act like it's a server, in other
>> words, route 10.0.0.183 to 10.1.0.x;
>
>
> I asked:
>
>>> A "server of what, exactly?"
>
>
> and Rich replied:
>
>> Samba.
>
> leaving completely puzzled: what's the connection between "act like a
> Samba server" and "in other words, route 10.0.0.183 to 10.1.0.x;"?

I've got this box, that's connected to the ADSL by eth0 and has a hub
on eth1 that the other comp's plug into:

dyn. IP _____________
ADSL ---------------| "Server" |
| IP masq.-|-----[hub]---other boxes
| 10.0.0.1|
| Samba |
|_____________|

The "new box" is currently plugged in as a member of the LAN, alongside
the "other boxes"; I'm setting it up so that when I'm ready, I can
just take box "Server" out and plug "New Box" in in its place.

At that point, I intend to hang "Server", which will be "Old Server",
out on the LAN with the "other boxes", and use it for backing up, but
that's a different thread that I haven't started yet. ;-)

Cheers!
Rich

Rich Grise wrote:

> I've got this box, that's connected to the ADSL by eth0 and has a hub
> on eth1 that the other comp's plug into: ...
> The "new box" is currently plugged in as a member of the LAN, alongside
> the "other boxes"; I'm setting it up so that when I'm ready, I can
> just take box "Server" out and plug "New Box" in in its place.

Perhaps a silly question, but why would you put the Samba server on the
same system that acts as your IP-masquerading Internet gateway?

The basis of my question is an assumption that you're using Samba as a
file-server, and that it might contain files that are sensitive to your
company. In your shoes, I would want that *behind* the Internet
gateway, with access control ensuring that the service is accessible
only from other local machines. Maybe I'm just more paranoid than you?

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Sylvain Robitaille wrote:

> Perhaps a silly question, but why would you put the Samba server on the
> same system that acts as your IP-masquerading Internet gateway?
>
> The basis of my question is an assumption that you're using Samba as a
> file-server, and that it might contain files that are sensitive to your
> company. In your shoes, I would want that *behind* the Internet
> gateway, with access control ensuring that the service is accessible
> only from other local machines. Maybe I'm just more paranoid than you?

Why not? Set up the firewall to deny access by way of the "inet" interface
and allow it from the "lan" interface. If they can get past the firewall
on the "inet" interface, they have access to the lan anyway, right? This
is what I do and it's worked for quite a while. Bad Idea?


--
Old Man

"I could be wrong again
I remember once in August 1993
I was wrong, and I could be wrong again" - Paul Simon

On 2006-11-07, Old Man <bill@witch.lan> wrote:


> on the "inet" interface, they have access to the lan anyway, right? This
> is what I do and it's worked for quite a while. Bad Idea?

Depends on how you have your LAN set up. If you have samba,
databases, etc, on the gateway and someone hacks that box from the WAN
side, they may have access to all that stufff. OTOH, you could have
all those servers, db's, etc, on another box within the LAN that is
not allowed to even see the gateway box. Another layer of security.

nb

On Tue, 07 Nov 2006 15:06:26 -0600, notbob wrote:
> On 2006-11-07, Old Man <bill@witch.lan> wrote:
>
>> on the "inet" interface, they have access to the lan anyway, right? This
>> is what I do and it's worked for quite a while. Bad Idea?
>
> Depends on how you have your LAN set up. If you have samba,
> databases, etc, on the gateway and someone hacks that box from the WAN
> side, they may have access to all that stufff. OTOH, you could have
> all those servers, db's, etc, on another box within the LAN that is
> not allowed to even see the gateway box. Another layer of security.

In answer to the original question, not enough boxes, and it would
probably confuse the lusers.

And smb.conf has a line "allow hosts xx.xx..." or something like that;
that will protect samba, but if somebody hacks the system, I guess I'm
screwed.

I'm more or less depending on "security through obscurity" - there's
nothing there that anybody would _want_ to steal. :-)

Cheers!
Rich

Old Man wrote:

> Set up the firewall to deny access by way of the "inet" interface and
> allow it from the "lan" interface. If they can get past the firewall
> on the "inet" interface, they have access to the lan anyway, right?
> This is what I do and it's worked for quite a while. Bad Idea?

what happens if someone compromised the gateway machine? (which is
more likely to be targetted by remote attacks than any of the machines
behind it) Of course it "works", and it will continue to do so, at
least until someone compromises your gateway machine.

I don't want to say whether it's a "bad idea" or not. "bad" is
relative, and is up to the individual sys-admin to decide based on the
realities of his/her environment. What Rich described, and what you
indicate you're doing is not something I would do, either on my home
network or at work.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Rich Grise wrote:

> In answer to the original question, not enough boxes,

until recently, I suppose, since the new machine has arrived. :-)

Unsolicited advice from (I believe) a more experienced system
administrator: leave the current gateway system to continue acting
as the gateway, and setup the new system to take over as the Samba
server. Deny any traffic into the Samba server (or any other servers or
workstations, for that matter) from the gateway machine's LAN interface
via local access controls.

> and it would probably confuse the lusers.

Confuse them how? They only need to know about "the server" and they
need to have someone configure their workstations to send non-local
network traffic through "the gateway".

> And smb.conf has a line "allow hosts xx.xx..." or something like that;
> that will protect samba, but if somebody hacks the system, I guess I'm
> screwed.

Very precisely screwed, in fact ... If your lucky, you'll be screwed in
an easily identifiable way.

> I'm more or less depending on "security through obscurity" - there's
> nothing there that anybody would _want_ to steal. :-)

That's a very naive view of computer security, and I strongly urge you
to reconsider it immediately if not sooner. Find yourself some good
computer security books (I'm very fond of O'Reilly books myself,
Practical Unix & Internet Security by Garfinkle and Spafford is a
must-read), and read them thoroughly, and apply what you learn from
them. Then read them again, and apply what you learn this time. Repeat
as many times as required, but don't take any short-cuts.

If the contents of your Samba server / Internet gateway are compromised,
no matter how innocuous those contents may seem, who do you think
management will turn to and ask whether it could have been avoided? If
the Samba server gets used by "external third parties" for its vast
storage space, ripe for a few "spare" multimedia files, and your company
is approached about DMCA violations, who do you think management will
need to question?

Commodity computers to provide services from a Linux system are cheap,
and the Linux distributions and other interesting software are even
cheaper. "Not enough boxes" just isn't a good answer, when hardware
that is suitable to serve as an Internet gateway (and perhaps even a
Samba server) is being disposed of in most organizations. Scour the
back lanes near you in the evenings. You'll get a new Internet gateway
machine (that you can leave dedicated to that task) in no time.

I hope that helps ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------