Skip site navigation (1)Skip section navigation (2)
Date:      1 Feb 1999 22:35:02 +1100
From:      "John Saunders" <john.saunders@nlc.net.au>
To:        phil grainger <thi226@iname.com>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: help wanted!
Message-ID:  <19990201113502.2584.qmail@nhj.nlc.net.au>
In-Reply-To: <199902011044.UAA22354@m1.gdr.net.au>

next in thread | previous in thread | raw e-mail | index | archive | help
In nlc.lists.freebsd-isp you wrote:
> 	I'm in the process of setting up an ISP in a small australian town. I am
> of course using freebsd as the basis for building a reliable and profitable
> service. Anyhow I'll cut to the chase...  what I'm after is some tools for
> managing users and servers etc.
> 	At the moment the service looks like it will be based around 2 freebsd
> boxes one for handling dial-in and one for handling the internet
> connection. If anyone can offer me advice, I am willing to listen, and if
> you have some cool software, I am willing to buy, or if you have software
> under development I am willing to help/test. For simplicity's sake all this
> software has got to run on freebsd 3.0. 
> 	At the moment i'm still in a quandry as to how I maintain users accounts
> on both boxes, is kerberos the way to go is there a better way?

Are you going to provide shell accounts or only allow ppp/slip access?
I run an ISP that offers shell accounts, very few people use it but
because it is offered I have to remain very pro-active about security.
The Pentium F00F bug was a real heart stopper.

I would split the system up into 2 parts, the dialin server handling the
modems, running pppd with my radius patches :-) and squid using IPFILTER
for transparent http caching, and dns secondary (users ppp sessions
directed to use this dns server first). Users cannot log into this
machine, it only has your account in /etc/passwd.

The other machine would contain the user accounts, a radius server for
authenticating them, home directories, mail, dns primary, web server,
pop3 server, popassd. Users can log into this server for shell access,
or point their shell to /usr/bin/passwd so they can telnet in only to
change their password.

It's also a good idea to create a bunch of CNAMES (aliases) in the DNS
so it looks like you have 1 service per host, then direct the service
to the host it is on. This lets you move things around without disturbing
users. e.g.
	ns1.domain.com.au		primary name server
	ns2.domain.com.au		secondary name server
	mail.domain.com.au		SMTP server
	pop.domain.com.au		POP3 server
	imap.domain.com.au		IMAPD server (like POP3)
	radius.domain.com.au	RADIUS authentication server
	proxy.domain.com.au		Squid proxy server
	www.domain.com.au		WWW server (apache)
	ftp.domain.com.au		Anonymous FTP server
	home.domain.com.au		Users home directories, tell users to telnet
							and FTP here for access to their home
							directory. Also use home.domain.com.au/~username
							for their web space.

P.S. RADIUS patches are at http://www.nlc.net.au/~john/software/ and is
very much a work in progress. Particularly annoying is that the
accounting side is in other programs and needs some ip-up/ip-down
fiddling.

Cheers.
--            +------------------------------------------------------------+
        .     | John Saunders  - mailto:john@nlc.net.au            (EMail) |
    ,--_|\    |                - http://www.nlc.net.au/              (WWW) |
   /  Oz  \   |                - 02-9489-4932 or 041-822-3814      (Phone) |
   \_,--\_/   | NHJ NORTHLINK COMMUNICATIONS - Supplying a professional,   |
         v    | and above all friendly, internet connection service.       |
              +------------------------------------------------------------+

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990201113502.2584.qmail>