need some general LAN advice

  • eerok
  • Born
  • Born
  • eerok
  • Posts: 4
  • Loc: Canada

Post 3+ Months Ago

Even though I've used linux and bsd off and on for several years, I'm the perpetual newbie in some ways, and one of these ways is networking.

What I want is a strictly local server to provide php and mysql for a dual-boot box. I run both XP pro and netbsd on my main box. I want to be able to work on the mysql db's from either os. I have a spare box sitting around that I plan to install openbsd on to use as the server. I also have a laptop that I sometimes might want to serve as well. Everything will be behind a NAT router. Net conn is cable.

I don't really need a LAN for this; I can just block all but the local IP range from the server -- is this correct? Or would it be better (safer) to hardwire this setup into a LAN? I want the db to be absolutely unreachable from the net. Is this goal even reasonable?

Enough questions for now, thanks for considering my problem. :)

--
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

This question(s) is a bit hard to understand, so I would like to break it down in an effort to try and discern your query.

eerok wrote:

What I want is a strictly local server to provide php and mysql for a dual-boot box. I run both XP pro and netbsd on my main box. I want to be able to work on the mysql db's from either os. I have a spare box sitting around that I plan to install openbsd on to use as the server. I also have a laptop that I sometimes might want to serve as well. Everything will be behind a NAT router. Net conn is cable.


Uh, ok. Let's see if I have this right. You have a box you use as a client, which dual-boots. You have a server which you intend to run OpenBSD on. As an aside, you also have a laptop which may or may not be connected at any given time. Right so far?
Now comes the tricky part. You want the mysql db and a php engine on the dual-boot, and NOT the server? Or you do want all of that on the server, and you want to be able to attach to it from the client and perform tasks. (The latter makes a heck of a lot more sense than the former.)

If it's the former, than you will have to use something like VMWare. You can run Windows inside a VM (Virtual Machine) running within NetBSD, or vice versa. If I had my druthers, I would run the XP inside the VM -- this way core communications is still handled by NetBSD, and as such may be secured a bit better. Everything going in and out for the XP session, is passed via the NetBSD eth. Throw IPFW or better yet PF on there, and you have it locked down.

However, that having been said I would probably load all your applications on the server. Stability is a key factor here, as well as pooled memory utilization some of those apps will require. I am sure you know that php itself is just an engine and while it is most often used in a web application environment, it's not required to be such. I am guessing you intend to use php as your portal for mysql -- though you did not mention loading apache and running phpmyadmin. Of course, as I said, web environment is not required and you can still use command line syntax via php to handle your sql transactions.

Again, running the php engine, and the server model of mysqld, I suggest placing that all on the server.
I am not sure why you chose OpenBSD as the back end app server either. I realize that openBSD has a great track record for security, but lets face it -- it's the back end. If they got that far, 'they' have already done some damage. :) I would either stick with NetBSD -- since you already have that in use, and it makes sense NOT to manage too many different flavors, or go with something more robust, like FreeBSD.
(The 5.x branch handles tons more routing i/o than any of the other branches, and an order of magnitude more than linux -- if you plan on networking, that will be important.

eerok wrote:

I don't really need a LAN for this; I can just block all but the local IP range from the server -- is this correct? Or would it be better (safer) to hardwire this setup into a LAN? I want the db to be absolutely unreachable from the net. Is this goal even reasonable?

Enough questions for now, thanks for considering my problem. :)

--


Now I am lost again. You said everything is behind a router -- is this a real router, or like one of those cable/dsl linksys routers? I mean, if it's a cisco series... no worries (provided you know IOS). :) If it's one of those linksys ones, I would still not worry too much. However, whatever box you have out in front is the weakest link. If that is the cable/dsl router you had better be staying current on firmware upgrades and watching the forums. If you have a pc that sits out there, or maybe one right behind the router, I would also keep a close eye on that. I suggest running snort on it; this way you can look for deleterious traffic patterns.

Understand, that if you are using the cable/dsl 'router' and it is providing you dhcp addresses for your internal machines, you already have a 'Lan', per se. You have non-routable IP's (most likely in the 192.168 subnet) and no machine behind the NAT can be reached directly.
NOTE: I said DIRECTLY. Remember the part about the weakest link, it's like a cascading chain, if one gets broke, they work on the next, and so on. The only way to assure your DB is not ever going to be accessible from the Internet is to unplug it. This is why large corporations do what is called 'risk-mitigation'. Lowest rick potential, and still get the job done.

If you are that concerned, you should buy a pix firewall, throw it out front, get a cat router (cisco) and make vlans; use acl's to permit only the authenticated traffic. At that point, it's all about authentication.

However, this does not seem like some large-scale business app, so I would guess under your present situation, with the information I have already provided you... you should be ok for the time being. :)

Does any of that help or make sense?

Cheers.
  • eerok
  • Born
  • Born
  • eerok
  • Posts: 4
  • Loc: Canada

Post 3+ Months Ago

Thx very much for your reply; sorry if I was a bit confusing; yes, you did help some :)

The router is a d-link that I've tweaked to pass the tests at grc.com (100% stealthed); all access to the net goes through it. I think I'm safe from the casual script kiddy, but I don't want to rely on it as my sole defence.

The server will run apache. Right now I'm running apache/php/mysql on the XP drive of my dual-boot box. The point is to have one centralized db accessible to all the machines/os's that I run so that I don't have to mess around with syncing it. I don't trust bsd writing to ntfs and of course mswin won't write to a unix filesystem without adding an emulation layer of some kind. I think the separate server is also safer, since I can make a very strict firewall for it which can simply ignore any non-local traffic. (Once I get the server running, I'll remove all the apache stuff from XP.)

Now I'm thinking I could set up the server for https. You think that would be worth it? I know nothing is perfect, but it's unlikely I'll be attacked unless someone sees an obvious weakness to exploit in the first place.

Good point about the openbsd. Come to think of it, I already have freebsd 4.6 on the box I want to use as a server, lol. However, I was impressed by openbsd's claim that they are the safest server out of the box, which is what I want.

Thx again, it helps to throw ideas around :)

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 34 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.