Hi All, So my electricity bill is through the roof and I need to pair down some equipment. I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web stuff and Zimbra. I have 5 static IP's from Comcast. I am considering giving this server a public IP and plugging it directly into my cable modem. This box can handle everything with room for me to do more. Doing this would allow me to power down my pfSense box and additional servers by consolidating onto this single box. I have the firewall on on the server and only allowing the few ports I need. I dont run ssh on 22 What do you guys think? Jason
On 12.12.2013 05:00, Jason T. Slack-Moehrle wrote:> Hi All, > > So my electricity bill is through the roof and I need to pair down > some > equipment. > > I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple > web > stuff and Zimbra. I have 5 static IP's from Comcast. I am considering > giving this server a public IP and plugging it directly into my cable > modem. This box can handle everything with room for me to do more. > > Doing this would allow me to power down my pfSense box and additional > servers by consolidating onto this single box. > > I have the firewall on on the server and only allowing the few ports I > need. > > I dont run ssh on 22 > > What do you guys think? > > JasonI'd ditch the PFsense box. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
I used to run everything in a similar manner, behind an IPCop system. The UVerse gateway doesn't handle multiple IPs on the same interface, when plugged directly into the gateway, so I wound up ditching the IPCop system and using my server as both the server and a firewall/router as you're asking about. You should be able to do so with no trouble. -- Mike Burger http://www.bubbanfriends.org "It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1> Hi All, > > So my electricity bill is through the roof and I need to pair down some > equipment. > > I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web > stuff and Zimbra. I have 5 static IP's from Comcast. I am considering > giving this server a public IP and plugging it directly into my cable > modem. This box can handle everything with room for me to do more. > > Doing this would allow me to power down my pfSense box and additional > servers by consolidating onto this single box. > > I have the firewall on on the server and only allowing the few ports I > need. > > I dont run ssh on 22 > > What do you guys think? > > Jason > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On Wed, Dec 11, 2013 at 09:00:25PM -0800, Jason T. Slack-Moehrle wrote:> Hi All, > > So my electricity bill is through the roof and I need to pair down some > equipment. > > I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web > stuff and Zimbra. I have 5 static IP's from Comcast. I am considering > giving this server a public IP and plugging it directly into my cable > modem. This box can handle everything with room for me to do more. > > Doing this would allow me to power down my pfSense box and additional > servers by consolidating onto this single box. > > I have the firewall on on the server and only allowing the few ports I need. > > I dont run ssh on 22 > > What do you guys think?You certainly CAN do it that way. Being paranoid, I'm in favor of having one "box" that does firewall/routing duties without any other apps running, to reduce the exposed "attack surface". I used to run a Smoothwall GPL box as firewall, but like you, I wanted to do a little something about the power usage. My "solution' was a dedicated consumer router, which used probably (not measured) a tenth of the juice of the old PC that ran Smoothwall. I used dd-wrt on it instead of the original firmware. -- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ----------------------------- The Lord detests the way of the wicked but he loves those who pursue righteousness. ----------------------------- Proverbs 15:9 (niv) -----------------------------
On Wed, Dec 11, 2013 at 11:00 PM, Jason T. Slack-Moehrle < slackmoehrle at gmail.com> wrote:> So my electricity bill is through the roof and I need to pair down some > equipment. >If you are in the USA, get yourself a Kill-a-Watt power meter. I'm sure other parts of the world have similar products. It's a device that goes between your electrical product (e.g. server) and the wall AC outlet, and tells you what the power draw is. It also keeps a cumulative total for number of Watts and Volt-Amps used in the time period it's plugged in. (If you have a 100% efficient PFC in your power supply, Watts will always equal Volt-Amps. I believe this is mandated in Europe. But a PFC below 1.0 will cause Volt-Amps to be higher than Watts. In the USA you are typically billed by Watts, but if you have a UPS, the Volt-Amp number matters.) The question is, are you sure it's all your computers causing the spike in your power bill? For example, if you have an old refrigerator, those are typically very inefficient and use more power than necessary. The Kill-a-Watt will tell you which devices are most power greedy.> I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web > stuff and Zimbra. I have 5 static IP's from Comcast. I am considering > giving this server a public IP and plugging it directly into my cable > modem. This box can handle everything with room for me to do more. > > Doing this would allow me to power down my pfSense box and additional > servers by consolidating onto this single box. >What kind of hardware is your pfSense box? I too have a pfSense server, but it's on a fairly low-power Atom board. Pulls less than 20 watts at any given time. The average cost of electricity in the USA is about $0.11/kwh. Using that number, a constant X watt draw conveniently works out to costing $X/year. So my pfSense box costs less than $20/year in electricity. Obviously, if your electricity is much more expensive, it changes the equation. Just food for thought.
On 12/11/2013 22:00, Jason T. Slack-Moehrle wrote:> > I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web > stuff and Zimbra. I have 5 static IP's from Comcast. I am considering > giving this server a public IP and plugging it directly into my cable > modem. This box can handle everything with room for me to do more. > > Doing this would allow me to power down my pfSense box and additional > servers by consolidating onto this single box. > > I have the firewall on on the server and only allowing the few ports I need. > > I dont run ssh on 22 > > What do you guys think?Have you considered moving all the public web services to a VPS, so you can use the simple firewall in your cable modem/router? You'll get much better bandwidth, and all the hardware problems are someone else's. If the machine gets broken into, it isn't a stepping stone into your private LAN. I suspect the Zimbra instance isn't public, which is good, because with its minimum RAM requirement of 2 GB, it probably isn't worth hosting publicly on your own. (Insert "when I was a boy" rant about 48 kB being enough here.) If you really do have to do public facing web services from your private LAN for whatever reason, though: I'd keep the separate firewall, but put it on more efficient hardware. You should be able to do this in about 5 W. At 11 cents per kWh, that's about $5 per year if it runs continually. I suspect it could actually be done in more like 2 W. (For comparison's sake, a Mac Mini idles at about 10 W, and a Raspberry Pi *peaks* at 3.5 W.) If you had to build the firewall yourself for whatever reason, there are small BSD/Linux-ready embeddable PCs you could use for this. They tend to be targeted at industrial applications and have low sales volumes, so expect to pay $200+ for them. If you're willing to go bare-bones, a Raspberry Pi, Arduino Galileo, or BeagleBone Black plus a USB-to-Ethernet adapter would do the job for under $100. If you can give up a bit of control, you can buy DD-WRT based routers off the shelf from the likes of Buffalo and Asus these days. The Buffalo unit I looked at claims to need 13 W peak, but at idle with the wireless turned off so it's a wired-only router, I'd be surprised if it didn't drop below 5 W.
On Wed, Dec 11, 2013 at 11:00 PM, Jason T. Slack-Moehrle <slackmoehrle at gmail.com> wrote:> Hi All, > > So my electricity bill is through the roof and I need to pair down some > equipment. > > I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web > stuff and Zimbra. I have 5 static IP's from Comcast. I am considering > giving this server a public IP and plugging it directly into my cable > modem. This box can handle everything with room for me to do more. > > Doing this would allow me to power down my pfSense box and additional > servers by consolidating onto this single box. > > I have the firewall on on the server and only allowing the few ports I need. > > I dont run ssh on 22 > > What do you guys think?Why not consolidate to a single physical box but continue to run whatever you want as virtual machines under KVM? -- Les Mikesell lesmikesell at gmail.com
On Wed, 11 Dec 2013, Jason T. Slack-Moehrle wrote:> Hi All, > > So my electricity bill is through the roof and I need to pair down > some equipment. > > I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple > web stuff and Zimbra. I have 5 static IP's from Comcast. I am > considering giving this server a public IP and plugging it directly > into my cable modem. This box can handle everything with room for me > to do more. > > Doing this would allow me to power down my pfSense box and > additional servers by consolidating onto this single box. > > I have the firewall on on the server and only allowing the few ports > I need. > > I dont run ssh on 22An additional consideration on Comcast's network is IPv6. Comcast will assign your routing device a /64 netblock in many, perhaps most, markets. If, after being connected directly to your Comcast connection and having its network service restarted, your CentOS box still has an fe80::/64 address, you have no worries (yet). If you're on a 2601::/64 (or other 2xxx::/64) network, then you're accessible via IPv6. So make sure that in addition to iptables, you brush up on ip6tables as well. -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W