Quick review

Adam Conrad adconrad at 0c3.net
Sun Apr 9 12:26:19 UTC 2006 

Rocco Stanzione wrote:
> 
> Network Configuration: 
> http://doc.ubuntu.com/ubuntu/serverguide/C/network-configuration.html

One line review for this one: "man 5 interfaces"

Seriously.  /etc/network/interfaces (and ifdown/ifup) is how interface
configuration is done in Debian and Ubuntu, but this doc leads me to
believe that I have to do everything by hand with ifconfig and route
(and then, presumably, write my own scripts to make sure it happens on
boot?)

I'm not against telling people how ifconfig, route, and other tools
work, but not at the expense of forgetting to tell them about the higher
level tools that make this all much simpler.

> Firewall: 
> http://doc.ubuntu.com/ubuntu/serverguide/C/firewall-configuration.html

I have no issues with this one.  It's not long, nor detailed, but the
one thing most people want to do (set up a NAT MASQ) is explained, and
done in the simplest way possible (which is nice, I've seem some pretty
convoluted setups).  The only possible change I'd make to that one (to
make things even simpler is to change this:

> sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
> sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
> sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

... to this:

> sudo iptables -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> sudo iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
> sudo iptables -t nat -A POSTROUTING -i eth0 -o ppp0 -j MASQUERADE

Or, you can include both, since they work slightly differently.  But,
the latter form is actually what most people usually want.  They want to
masquerade "everything behind this interface, when passing through to
the internet", not necessarily specific subnets.  Either is easy enough
to explain and understand, though.

> Samba Configuration: 
> http://doc.ubuntu.com/ubuntu/serverguide/C/configuring-samba.html

> sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.original
> sudo chmod a-w /etc/samba/smb.conf.original

Advising people to backup files before they edit them is good practice.
 Telling people to remove the write bit from files they're going to be
editing as root is pretty much pointless, since root can overwrite
anything anyway. :)

> Email Services: 
> http://doc.ubuntu.com/ubuntu/serverguide/C/email-services.html#http-installation

Again, this construct:

> sudo apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

People are really going to start thinking our package management system
sucks, if they have to specify every dependency on the command line. :)

For reference, postfix depends on libsasl2 and libsasl2-modules (so no
need to specify those), suggests sasl2-bin (but, despite the HOWTO's
insistence, I'm not sure it's actually required for SASL to work), is
linked against DB4.3, not DB3, so libdb3-util would be completely
useless, and again, suggests procmail (which is good, but the HOWTO
never actually tells users what procmail is or how to use it, so I'm not
sure why we tell them to install it, as if it's needed for postfix to work)

> mkdir /etc/postfix/ssl
> cd /etc/postfix/ssl/

Again, as noted in my Apache feedback, please recommend people use
/etc/ssl/{certs,private} for the public and private keys.

And I think I've now worn myself out for the day. :)

... Adam

More information about the ubuntu-server mailing list