[TriLUG] NAS box
Magnus Hedemark
chrish at trilug.org
Mon May 3 08:08:19 EDT 2004
On Mon, 3 May 2004, Kevin Flanagan wrote:
> If all systems are Windows 2000 pro, or XP pro, the NT domain model can
> be a bit more secure, but with SAMBA, it's not a lot more so.
I know that earlier this morning I sung praise of Linux LVM, but it is
only fair at this point that I mention a strength of OpenBSD for this
particular application.
pf now has OS fingerprinting built into the rules. So assuming you have a
default of something like (in pseudocode) "block all inbound", you could
then add a rule like "pass in all inbound protocol tcp port 139 where
source OS is { Windows 2000, Windows XP }" and another that says something
like "pass in all inbound protocol udp port { 137, 138 } where source OS
is { Windows 2000, Windows XP }".
So this way all the Win9x clients never even see Samba. This also kills
*NIX clients running smbclient so beware.
Sure there are also controls in Samba as well but I like the belt &
suspenders approach, and try to block unwanted traffic as early as
possible.
> HP has some decent entry level servers, but they would cost $2-3K well
> equipped. Something like a SNAP server will be easy, but not redundant,
> and backups have to take place over the network to a device that you
> don't have now.
Honestly for a file server that is expected to grow, I would put almost
zero storage on the server (enough for the OS) and hook it up to a SAN.
But for only a few hundred gigs it's not worth it. If this thing were
going to scale any more than that, SAN starts to make more sense.
More information about the TriLUG
mailing list