Hi All,
So my electricity bill is through the roof and I need to pair down some equipment.
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
I have the firewall on on the server and only allowing the few ports I need.
I dont run ssh on 22
What do you guys think?
Jason
On 12.12.2013 05:00, Jason T. Slack-Moehrle wrote:
Hi All,
So my electricity bill is through the roof and I need to pair down some equipment.
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
I have the firewall on on the server and only allowing the few ports I need.
I dont run ssh on 22
What do you guys think?
Jason
I'd ditch the PFsense box.
I used to run everything in a similar manner, behind an IPCop system.
The UVerse gateway doesn't handle multiple IPs on the same interface, when plugged directly into the gateway, so I wound up ditching the IPCop system and using my server as both the server and a firewall/router as you're asking about.
You should be able to do so with no trouble.
Mike Burger wrote:
I used to run everything in a similar manner, behind an IPCop system.
The UVerse gateway doesn't handle multiple IPs on the same interface, when plugged directly into the gateway, so I wound up ditching the IPCop system and using my server as both the server and a firewall/router as you're asking about.
You should be able to do so with no trouble.
I'm a tad more paranoid - I don't necessarily trust the phone company's management of the router in my house.
mark, still trying to get USB printing working on the router I bought....*
* Asus. AsusWRT. DD-WRT. Don't ask.
Mike Burger wrote:
I used to run everything in a similar manner, behind an IPCop system.
The UVerse gateway doesn't handle multiple IPs on the same interface, when plugged directly into the gateway, so I wound up ditching the IPCop system and using my server as both the server and a firewall/router as you're asking about.
You should be able to do so with no trouble.
I'm a tad more paranoid - I don't necessarily trust the phone company's management of the router in my house.
mark, still trying to get USB printing working on the router Ibought....*
Nor do I...that's why I manage it myself.
Alas, with UVerse, I have to use their gateway, or the TV service doesn't work.
That's why my CentOS box is my server as well as my firewall.
Mike Burger wrote:
Mike Burger wrote:
I used to run everything in a similar manner, behind an IPCop system.
The UVerse gateway doesn't handle multiple IPs on the same interface, when plugged directly into the gateway, so I wound up ditching the IPCop system and using my server as both the server and a firewall/router as
you're
asking about.
You should be able to do so with no trouble.
I'm a tad more paranoid - I don't necessarily trust the phone company's management of the router in my house.
mark, still trying to get USB printing working on the router Ibought....*
Nor do I...that's why I manage it myself.
Alas, with UVerse, I have to use their gateway, or the TV service doesn't work.
That's why my CentOS box is my server as well as my firewall.
You misunderstand me: I have the router plugged into the phone co. router, going into my router's uplink port.
mark
On 12/12/2013 9:56 AM, m.roth@5-cent.us wrote:
You misunderstand me: I have the router plugged into the phone co. router, going into my router's uplink port.
so you have two layers of network address translation? or is one or the other of those 'routers' set to bridge ?
John R Pierce wrote:
On 12/12/2013 9:56 AM, m.roth@5-cent.us wrote:
You misunderstand me: I have the router plugged into the phone co. router, going into my router's uplink port.
so you have two layers of network address translation? or is one or the other of those 'routers' set to bridge ?
Not exactly: I just have my router in a different 192.168 address space than the phone company one. As I said, I plugged the "uplink" port on my router directly into one of the regular ports on their router, after setting the IP address of my router, and it just works.
mark
On 12/12/2013 10:24 AM, m.roth@5-cent.us wrote:
so you have two layers of network address translation? or is one or
the other of those 'routers' set to bridge ?
Not exactly: I just have my router in a different 192.168 address space than the phone company one. As I said, I plugged the "uplink" port on my router directly into one of the regular ports on their router, after setting the IP address of my router, and it just works.
thats 2 layers of NAT, then. I usually try and avoid that as it complicates troubleshooting immensely
On Wed, Dec 11, 2013 at 09:00:25PM -0800, Jason T. Slack-Moehrle wrote:
Hi All,
So my electricity bill is through the roof and I need to pair down some equipment.
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
I have the firewall on on the server and only allowing the few ports I need.
I dont run ssh on 22
What do you guys think?
You certainly CAN do it that way.
Being paranoid, I'm in favor of having one "box" that does firewall/routing duties without any other apps running, to reduce the exposed "attack surface".
I used to run a Smoothwall GPL box as firewall, but like you, I wanted to do a little something about the power usage. My "solution' was a dedicated consumer router, which used probably (not measured) a tenth of the juice of the old PC that ran Smoothwall. I used dd-wrt on it instead of the original firmware.
Fred Smith wrote:
On Wed, Dec 11, 2013 at 09:00:25PM -0800, Jason T. Slack-Moehrle wrote:
Hi All,
So my electricity bill is through the roof and I need to pair down some equipment.
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
I have the firewall on on the server and only allowing the few ports I need.
I dont run ssh on 22
Were you planning on ssh'ing in from outside? Remember, security through obscurity isn't security. nmap, for example, would find it.
What do you guys think?
You certainly CAN do it that way.
Being paranoid, I'm in favor of having one "box" that does
firewall/routing duties
without any other apps running, to reduce the exposed "attack surface".
Yup. For about 10 years, I ran an old PC at home with redhat 7.x, then 9. (pre-fedora/RHEL). I had *nothing* on it - no compilers, no languages not required, no web stuff, no *nuthin'*. Then I ran Bastille Linux on it (that's not a distro, it's a set of hardening scripts - everything not explicitly required is verboten). To the best of my knowledge, I never had an intrusion. Of course, I wasn't offering an open website....
I used to run a Smoothwall GPL box as firewall, but like you, I wanted to do a little something about the power usage. My "solution' was a dedicated consumer router, which used probably (not measured) a tenth of the juice of the old PC that ran Smoothwall. I used dd-wrt on it instead of the original firmware.
Doing that now - uses a *lot* less power. Now, if I could just find a firmware that meets my needs....
mark
On Wed, Dec 11, 2013 at 11:00 PM, Jason T. Slack-Moehrle < slackmoehrle@gmail.com> wrote:
So my electricity bill is through the roof and I need to pair down some equipment.
If you are in the USA, get yourself a Kill-a-Watt power meter. I'm sure other parts of the world have similar products. It's a device that goes between your electrical product (e.g. server) and the wall AC outlet, and tells you what the power draw is. It also keeps a cumulative total for number of Watts and Volt-Amps used in the time period it's plugged in. (If you have a 100% efficient PFC in your power supply, Watts will always equal Volt-Amps. I believe this is mandated in Europe. But a PFC below 1.0 will cause Volt-Amps to be higher than Watts. In the USA you are typically billed by Watts, but if you have a UPS, the Volt-Amp number matters.)
The question is, are you sure it's all your computers causing the spike in your power bill? For example, if you have an old refrigerator, those are typically very inefficient and use more power than necessary. The Kill-a-Watt will tell you which devices are most power greedy.
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
What kind of hardware is your pfSense box? I too have a pfSense server, but it's on a fairly low-power Atom board. Pulls less than 20 watts at any given time. The average cost of electricity in the USA is about $0.11/kwh. Using that number, a constant X watt draw conveniently works out to costing $X/year. So my pfSense box costs less than $20/year in electricity.
Obviously, if your electricity is much more expensive, it changes the equation.
Just food for thought.
Matt Garman wrote:
On Wed, Dec 11, 2013 at 11:00 PM, Jason T. Slack-Moehrle < slackmoehrle@gmail.com> wrote:
So my electricity bill is through the roof and I need to pair down some equipment.
If you are in the USA, get yourself a Kill-a-Watt power meter. I'm sure other parts of the world have similar products. It's a device that goes between your electrical product (e.g. server) and the wall AC outlet, and tells you what the power draw is. It also keeps a cumulative total for number of Watts and Volt-Amps used in the time period it's plugged in. (If you have a 100% efficient PFC in your power supply, Watts will always equal Volt-Amps. I believe this is mandated in Europe. But a PFC below
1.0
will cause Volt-Amps to be higher than Watts. In the USA you are typically billed by Watts, but if you have a UPS, the Volt-Amp number matters.)
The question is, are you sure it's all your computers causing the spike in your power bill? For example, if you have an old refrigerator, those are
<snip> That's a *really* good question. Did you get a plasma TV (baaad! they're *always* on, and draw a lot of power). For that matter, if you have electric heat or HVAC, have it checked. About 9 years ago, living in FL, we had a deeply insane electric bill... and got someone from the electric co to check, and then got maintenance on the HVAC... which had the board go bad, and was running *both* heat and cool full out at the same time.
On 12/11/2013 22:00, Jason T. Slack-Moehrle wrote:
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
I have the firewall on on the server and only allowing the few ports I need.
I dont run ssh on 22
What do you guys think?
Have you considered moving all the public web services to a VPS, so you can use the simple firewall in your cable modem/router? You'll get much better bandwidth, and all the hardware problems are someone else's. If the machine gets broken into, it isn't a stepping stone into your private LAN.
I suspect the Zimbra instance isn't public, which is good, because with its minimum RAM requirement of 2 GB, it probably isn't worth hosting publicly on your own.
(Insert "when I was a boy" rant about 48 kB being enough here.)
If you really do have to do public facing web services from your private LAN for whatever reason, though:
I'd keep the separate firewall, but put it on more efficient hardware. You should be able to do this in about 5 W. At 11 cents per kWh, that's about $5 per year if it runs continually. I suspect it could actually be done in more like 2 W.
(For comparison's sake, a Mac Mini idles at about 10 W, and a Raspberry Pi *peaks* at 3.5 W.)
If you had to build the firewall yourself for whatever reason, there are small BSD/Linux-ready embeddable PCs you could use for this. They tend to be targeted at industrial applications and have low sales volumes, so expect to pay $200+ for them.
If you're willing to go bare-bones, a Raspberry Pi, Arduino Galileo, or BeagleBone Black plus a USB-to-Ethernet adapter would do the job for under $100.
If you can give up a bit of control, you can buy DD-WRT based routers off the shelf from the likes of Buffalo and Asus these days. The Buffalo unit I looked at claims to need 13 W peak, but at idle with the wireless turned off so it's a wired-only router, I'd be surprised if it didn't drop below 5 W.
On Thu, Dec 12, 2013 at 11:22 AM, Warren Young warren@etr-usa.com wrote:
I'd keep the separate firewall, but put it on more efficient hardware. You should be able to do this in about 5 W. At 11 cents per kWh, that's about $5 per year if it runs continually. I suspect it could actually be done in more like 2 W.
+1
(For comparison's sake, a Mac Mini idles at about 10 W, and a Raspberry Pi *peaks* at 3.5 W.)
If you had to build the firewall yourself for whatever reason, there are small BSD/Linux-ready embeddable PCs you could use for this. They tend to be targeted at industrial applications and have low sales volumes, so expect to pay $200+ for them.
PC Engines ALIX [0] - AMD Geode x86 CPUs Soekris boards [1] - AMD Geode x86 CPUs and now some Intel Atom CPUs
But yeah, they're in the approximate $180 to $200+ price range. And use around 5 watts (ALIXes).
There's also other embedded gear. I don't have power measurements on any of these, but I'd expect they're 5 to 10 watts max. Mikrotik Routerboards [2] - mipsbe architecture ; ex RB750GL [4] Ubiquiti EdgeRouters [3] - mips64 architecture
[0] http://pcengines.ch/alix.htm [1] https://soekris.com/ [2] http://routerboard.com/ [3] http://www.ubnt.com/edgemax#EdgeMAXhardware [4] http://routerboard.com/RB750GL
If you're willing to go bare-bones, a Raspberry Pi, Arduino Galileo, or BeagleBone Black plus a USB-to-Ethernet adapter would do the job for under $100.
Raspberry Pi's don't have but one NIC _if_ you get that model. Not to mention that they don't have a built-in switch like the consumer gear, so you'd want a switch as well.
Ehhhh ... what's the performance like on those USB Ethernet dongles? It certainly depends what chipset, revison, etc but some of units are not so great. Maybe it's just me, but it's a bit ghetto as well.
If you can give up a bit of control, you can buy DD-WRT based routers off the shelf from the likes of Buffalo and Asus these days. The Buffalo unit I looked at claims to need 13 W peak, but at idle with the wireless turned off so it's a wired-only router, I'd be surprised if it didn't drop below 5 W. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, Dec 11, 2013 at 11:00 PM, Jason T. Slack-Moehrle slackmoehrle@gmail.com wrote:
Hi All,
So my electricity bill is through the roof and I need to pair down some equipment.
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
I have the firewall on on the server and only allowing the few ports I need.
I dont run ssh on 22
What do you guys think?
Why not consolidate to a single physical box but continue to run whatever you want as virtual machines under KVM?
On Wed, 11 Dec 2013, Jason T. Slack-Moehrle wrote:
Hi All,
So my electricity bill is through the roof and I need to pair down some equipment.
I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more.
Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box.
I have the firewall on on the server and only allowing the few ports I need.
I dont run ssh on 22
An additional consideration on Comcast's network is IPv6. Comcast will assign your routing device a /64 netblock in many, perhaps most, markets.
If, after being connected directly to your Comcast connection and having its network service restarted, your CentOS box still has an fe80::/64 address, you have no worries (yet). If you're on a 2601::/64 (or other 2xxx::/64) network, then you're accessible via IPv6.
So make sure that in addition to iptables, you brush up on ip6tables as well.
-
Fred Smith -
Jason T. Slack-Moehrle -
John R Pierce -
Les Mikesell -
m.roth@5-cent.us -
Matt Garman -
Mike Burger -
Nux! -
Paul Heinlein -
SilverTip257 -
Warren Young