At 10:45 25/11/98 -0500, you wrote:
>Hi all,
>
>I work for a small (10 person) company. We have a T1 connection and are
Hire me, PLEEEEEEEASE! I work for a *big* (1000+ employees) company. We
have a *64kbps* connection. I am the bandwidth-hungry employee here. ;-)
>currently using our internet providers firewall, which we haven't been
>to happy with.
Why? Performance? Vulnerability? Bad firewall rule configuration?
>We want to set up our own firewall, and we're cosidering
>putting Squid, fwtk, and bind all on a single server.
Nope. For performance and security, I suggest using separate machines for
those tasks. BIND: take any old PC, say, a Pentium 100, make it run a
recent Linux or FreeBSD (install the same OS in the other machines)
distribution, install and configure BIND, and you are done. Squid: grab a
*fast* machine, say a Pentium II-300, with *gobs* of memory (128+ M) and a
fast and big disk. This machine *must run only Squid*, as it is memory and
disk-hungry. fwtk: use a fast machine, too; doesn't need a big disk, but it
must be fast, for processing of incoming and outgoing packets and security
rules. This machine *must* run only the needed daemons to work (use a
minimalist configuration), as explained by fwtk's documents.
>We want squid for
>the http proxy & caching, fwtk for the firewall features, and bind to
>resolve about 10 internal names and forward everything else on to our
>ISP's name server.
Configure fwtk to allow ICP and BIND traffic, your internal BIND to forward
resolution of external names to your ISP's provider. Point Squid to your
ISP's cache server.
>
>Does it make sense to combine all this on a single server? What kind of
>hardware would we need to handle this sort of setup for a group of 10-20
>users?
Nope, as I said. Even if your network is small, hardware is cheap nowadays
and you will have great performance.
>Thanks,
HTH,
Marlon
*--------------------------------------------------------------------------*
| Marlon Borba - Suporte Tecnico - Tribunal Regional Federal da 3a. Regiao |
| Celular: (011) 9945-2841 Trabalho: (011) 230-4683 e 230-4684 |
| marlon@sti.com.br * marlon.borba@rocketmail.com * marlon.borba@usa.net |
*--------------------------------------------------------------------------*
| Ajude a construir uma Internet livre, aberta e baseada em padroes |
| Associe-se 'a Internet Society |
| For a free, open, standards-based Internet, join Internet Society |
| Informacoes/Information: http://www.isoc.org |
*--------------------------------------------------------------------------*
Received on Wed Nov 25 1998 - 16:28:25 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:22 MST