From owner-freebsd-isp Mon Feb 1 03:35:19 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA04071 for freebsd-isp-outgoing; Mon, 1 Feb 1999 03:35:19 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from nhj.nlc.net.au (nhj.nlc.net.au [203.24.133.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA04054 for ; Mon, 1 Feb 1999 03:35:07 -0800 (PST) (envelope-from john.saunders@nlc.net.au) Received: (qmail 2586 invoked by uid 1000); 1 Feb 1999 22:35:02 +1100 Date: 1 Feb 1999 22:35:02 +1100 Message-ID: <19990201113502.2584.qmail@nhj.nlc.net.au> From: "John Saunders" To: phil grainger Cc: freebsd-isp@FreeBSD.ORG Subject: Re: help wanted! X-Newsgroups: nlc.lists.freebsd-isp In-Reply-To: <199902011044.UAA22354@m1.gdr.net.au> User-Agent: tin/pre-1.4-980818 ("Laura") (UNIX) (Linux/2.0.36 (i686)) Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In nlc.lists.freebsd-isp you wrote: > I'm in the process of setting up an ISP in a small australian town. I am > of course using freebsd as the basis for building a reliable and profitable > service. Anyhow I'll cut to the chase... what I'm after is some tools for > managing users and servers etc. > At the moment the service looks like it will be based around 2 freebsd > boxes one for handling dial-in and one for handling the internet > connection. If anyone can offer me advice, I am willing to listen, and if > you have some cool software, I am willing to buy, or if you have software > under development I am willing to help/test. For simplicity's sake all this > software has got to run on freebsd 3.0. > At the moment i'm still in a quandry as to how I maintain users accounts > on both boxes, is kerberos the way to go is there a better way? Are you going to provide shell accounts or only allow ppp/slip access? I run an ISP that offers shell accounts, very few people use it but because it is offered I have to remain very pro-active about security. The Pentium F00F bug was a real heart stopper. I would split the system up into 2 parts, the dialin server handling the modems, running pppd with my radius patches :-) and squid using IPFILTER for transparent http caching, and dns secondary (users ppp sessions directed to use this dns server first). Users cannot log into this machine, it only has your account in /etc/passwd. The other machine would contain the user accounts, a radius server for authenticating them, home directories, mail, dns primary, web server, pop3 server, popassd. Users can log into this server for shell access, or point their shell to /usr/bin/passwd so they can telnet in only to change their password. It's also a good idea to create a bunch of CNAMES (aliases) in the DNS so it looks like you have 1 service per host, then direct the service to the host it is on. This lets you move things around without disturbing users. e.g. ns1.domain.com.au primary name server ns2.domain.com.au secondary name server mail.domain.com.au SMTP server pop.domain.com.au POP3 server imap.domain.com.au IMAPD server (like POP3) radius.domain.com.au RADIUS authentication server proxy.domain.com.au Squid proxy server www.domain.com.au WWW server (apache) ftp.domain.com.au Anonymous FTP server home.domain.com.au Users home directories, tell users to telnet and FTP here for access to their home directory. Also use home.domain.com.au/~username for their web space. P.S. RADIUS patches are at http://www.nlc.net.au/~john/software/ and is very much a work in progress. Particularly annoying is that the accounting side is in other programs and needs some ip-up/ip-down fiddling. Cheers. -- +------------------------------------------------------------+ . | John Saunders - mailto:john@nlc.net.au (EMail) | ,--_|\ | - http://www.nlc.net.au/ (WWW) | / Oz \ | - 02-9489-4932 or 041-822-3814 (Phone) | \_,--\_/ | NHJ NORTHLINK COMMUNICATIONS - Supplying a professional, | v | and above all friendly, internet connection service. | +------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message