Specifications for Linux Firewall Servers

The following is a breakdown of the hardware and software requirements for setting up a server to act as a firewall and Internet gateway for a WordStock Ethernet LAN. It is meant to offer guidelines, not strict rules, for setting up this connectivity.

> It is important to remember that each site will require a different setup, and its needs should be addressed on an as-needed basis.

The two most important pieces of technology required for this connectivity are a high-speed connection to the Internet, and a PC running the Linux operating system.

Symmetric connection: a connection in which both the up and downlink speeds are equal. Examples of this type of connection include ISDN, SDSL, T1, and T3.

Asymmetric connection: a connection in which the up and downlink speeds vary greatly. Examples of this type of connection include ADSL, and cable-modems.

Internet addressable service: a WWW, E-mail, or other server which is accessible from the Internet.

DNS - domain name service - that part of the Internet which maps I.P. addresses to human-readable names, for example, the address 209.143.208.180 maps to the name www.wordstock.com.

Domain name - the umbrella name under which all hosts in a domain reside. Examples of domain names include wordstock.com, titleview.com, etc. A domain name should not be confused with a fully qualified host name--see FQDN.

FQDN [Fully Qualified Domain Name] An FQDN is the complete domain name for a host on the Internet. The FQDN consists of the host name, an optional sub-domain name and domain name. Each part is separated by a dot or period, e.g., www.wordstock.com.

I.P. - the 'Internet Protocol' address assigned to your computer; a 'static IP' has a permanent, fixed address, while a 'dynamic IP' has an address that is assigned by the ISP on a per-session basis.

ISP - Internet Service Provider.

Asymmetric connection - though a symmetric connection is always preferred, it is not required in this case, and using asymmetric connectivity will lower the cost of operation of the connection. However, if Internet-addressable services are to be added later, this connection would most likely have to be scrapped in favor of a symmetrical connection, thereby requiring new setup fees, and possible switching to another ISP.

No static I.P. - again, a static I.P. is always preferred, however in this case, it is not required. Again though, should Internet-addressable services be added in the future, a static I.P. would have to be added to the Internet connection, and would require a reconfiguration of the firewall server, as well ad increased monthly fees. Further, it is important to note that few, if any, ADSL or cable-modem providers offer static I.P. addresses as an option, since those connections, though routable through a firewall, are designed for home users, who rarely, if ever, require a static I.P. address, since the home user rarely runs an Internet-addressable server.

Under this setup, it will be vital to thoroughly read the license agreement signed with the ISP.

> Some ISPs prohibit using an asymmetric single-user connection as a pipeline for routing a LAN through a firewall. In order to avoid legal problems, and to allow for future growth, it is recommended that asymmetric/no-static-I.P. connections be avoided. However, they are worthy of mention for the cost-conscious customer, and so are included in this document.

Symmetric connection - this type of connection is required since when running Internet addressable services, as well as routing LAN traffic through a firewall, there is an almost equal amount of traffic flowing in both directions. Using an asymmetric connection would result in a bottle neck on the uplink, slowing down the services such as WWW and E-mail.

Static I.P. - in order to access an Internet-addressable service, that service must reside on a permanently assigned I.P. which is visible from the entire Internet.

DNS - in order to access the Internet addressable services using names rather than I.P. addresses, this must be setup with the ISP. Further, the domain name specific to the site must be registered with Internet authorities. Both will incur additional fees.

FQDN(s) - at least one FQDN will have to be setup to properly configure the firewall server, possibly more, depending on the needs of the site, for example www. name for the WWW server, or secure.<domain name> for the secure WWW server for handling online retail. Any FQDNs setup fall under the umbrella of DNS and should not incur any additional fees other than those already paid to setup DNS with the ISP.

Whichever connection is deemed appropriate, care should be taken to insure that it is available 24/7, and that no usage charges will be incurred other than a flat-rate bill.

Metered service is unlikely in any of the aforementioned technologies except the more common flavors of ISDN; metered service very quickly begins to accumulate a large bill, and must be avoided. Imagine a connection, up 24x7 for one month. Even if only billed $1.00/hour, that still amounts to over $700/month, much more than the cost of all but the most expensive of the connections, such as T1 or T3.

Obviously, the more bandwidth available to all services performed by the connection, the better the service. There are few ways to determine the optimum amount of bandwidth; here are a few examples with an estimated amount of bandwidth needed, based on the kinds of traffic:

1. Firewall server, routing WWW traffic to 1-5 users on a LAN: 133 kb/s (ISDN)

2. Firewall server, routing WWW traffic to 5-10 users on a LAN: 240kb/s (SDSL, ADSL, Cable-modem).

> These figures assume a desirable 10kB/s to each user, assuming a 30% duty cycle (connection load).

3. Firewall server, routing WWW traffic to 1-10 users, Internet addressable E-mail and WWW service: 480kb/s (SDSL, ADSL, Cable-modem).

> The above figure was calculated using the same user rules as above, with the addition of 240kb/s for inbound WWW traffic and in and outbound E-mail traffic.

It is important to note that one can never have enough bandwidth for sending and receiving large E-mail messages.

Further, the load on the WWW server will also directly impact the amount of bandwidth which should be allocated to the connection.

> Given a large store with a busy WWW site, hosting Ecommerce, nothing less than full T1 service is recommended.

1. ISDN - (un)metered service, max 128Kb/s bandwidth; static I.P. possible.

2. SDSL - unmetered service, max 1.54Mb/s bandwidth; static I.P. possible.

3. T1 - unmetered service, max 1.54Mb/s bandwidth; static I.P. possible.

4. T3 - unmetered service, 54 Mb/s bandwidth; static I.P. possible.

5. ADSL (sometimes called residential (A)DSL), Cable modem, unmetered service, asymetric bandwidth unsuitable for commerical Internet connection; static I.P. rarely possible.

When you shop for a computer to act as a server, whether you plan to purchase it from WordStock or another source, bear in mind that you're looking for a robust machine, not an off-the-shelf configuration aimed at home users. Therefore, you should expect to pay more than you would a 'home' computer.

Choosing which of the above servers to spec for a site will depend on the total demand that the server will be expected to handle.

If you want to use the server merely for E-mail, growing later into using it to host your WWW page and share Windows files, then the Low-end will be sufficient for quite some time.

If you want to begin using the server immediately for E-mail, WWW hosting, and sharing Windows files, then choosing between the low-end and mid-class servers becomes one of degree:

How many Windows workstations are there?

What is the E-mail and WWW load likely to be like?

How much bandwidth will the site have, and what will be the nature of the Windows file sharing, i.e, will it be an app using the server as a locally mapped drive, reading and writing constantly, or will it be for random sharing of small to medium sized files between Windows users?

> The high-end server should be considered in very high usage sitations for routing a large store to the Internet where there are one or more multi-honed T1s or T3s routing the LAN to the 'Net.

> For basic firewall service with no Internet addressable services, the low-end is sufficient.

go BACK to Documents page