James B. Byrne
2015-Jun-29 13:09 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On Mon, June 29, 2015 02:14, Sorin Srbu wrote: OS 6?> > Please note: I'm not criticizing, just curious about the argument > behind using a regular OS to do firewall-stuff. >Maintenance. A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one suffices? Just start with a minimal CentOS install on your router/gateway and add only the packages that you know that you need. Any critical omission will evidence itself in short order and can be added then; or the source of the need removed as circumstance warrants. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Sorin Srbu
2015-Jun-29 13:46 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of James B. Byrne > Sent: den 29 juni 2015 15:10 > To: CentOS mailing list > Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home > server > > > > Please note: I'm not criticizing, just curious about the argument > > behind using a regular OS to do firewall-stuff. > > > > Maintenance. > > A consistent set of expectations does wonders for debugging odd-ball > occurrences. Why learn the idiosyncrasies of two distros when onesuffices?> Just start with a minimal CentOS install on your router/gateway and addonly> the packages that you know that you need. > Any critical omission will evidence itself in short order and can be addedthen;> or the source of the need removed as circumstance warrants.Sorry for OT. Even considering a minimal CentOS install, is that still less minimal than e.g. Smoothwall or Ipcop? In my world, security has a price and, and that might be the need to learn another distro in order to minimize security issues (and maybe as in this case minimize attack-surfaces). Still just curious about the arguments pro/con regular OS:s as firewall. 8-) -- //Sorin
Leon Fauster
2015-Jun-29 14:09 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
Am 29.06.2015 um 15:46 schrieb Sorin Srbu <sorin.srbu at orgfarm.uu.se>:>> >>> Please note: I'm not criticizing, just curious about the argument >>> behind using a regular OS to do firewall-stuff. >>> >> >> Maintenance. >> >> A consistent set of expectations does wonders for debugging odd-ball >> occurrences. Why learn the idiosyncrasies of two distros when one > suffices? >> Just start with a minimal CentOS install on your router/gateway and add > only >> the packages that you know that you need. >> Any critical omission will evidence itself in short order and can be added > then; >> or the source of the need removed as circumstance warrants. > > Sorry for OT. > > Even considering a minimal CentOS install, is that still less minimal than > e.g. Smoothwall or Ipcop? > In my world, security has a price and, and that might be the need to learn > another distro in order to minimize security issues (and maybe as in this > case minimize attack-surfaces). > > Still just curious about the arguments pro/con regular OS:s as firewall. 8-)+1 - we use here for "all" the same distro because normally the most security holes are done by the configuration abilities of humans. to catch this effectively the distro is not a variable. Therefore I appreciate the great work of the "CentOS on ARM7"-team! -- LF
m.roth at 5-cent.us
2015-Jun-29 14:43 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
James B. Byrne wrote:> On Mon, June 29, 2015 02:14, Sorin Srbu wrote: > OS 6? >> >> Please note: I'm not criticizing, just curious about the argument >> behind using a regular OS to do firewall-stuff. > > Maintenance. > > A consistent set of expectations does wonders for debugging odd-ball > occurrences. Why learn the idiosyncrasies of two distros when one > suffices? Just start with a minimal CentOS install on your > router/gateway and add only the packages that you know that you need. > Any critical omission will evidence itself in short order and can be > added then; or the source of the need removed as circumstance > warrants.Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9 on an old box that was nothing but a firewall router. I was seriously paranoid - no gcc or any development tools, no X, not much of anything. To the best of my knowledge, we never had a breakin. I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly impressed. I mean, it seems ok, but the project is run in what I can only describe as "amateur", in the worst sense of the word. The several official developers release a build, and you can choose which one of who's; people on the mailing list have "favorite builds", which is not a phrase I have *ever* heard used with an o/s before, and I'm afraid to update, as some of their "documentation" is out of date, or wrong. At some point, I may just get a PI, and run CentOS, or some firewall/router distro, though that would mean not having WiFi for guests. mark
david
2015-Jun-29 15:17 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
At 07:43 AM 6/29/2015, you wrote:>James B. Byrne wrote: > > On Mon, June 29, 2015 02:14, Sorin Srbu wrote: > > OS 6? > >> > >> Please note: I'm not criticizing, just curious about the argument > >> behind using a regular OS to do firewall-stuff. > > > > Maintenance. > > > > A consistent set of expectations does wonders for debugging odd-ball > > occurrences. Why learn the idiosyncrasies of two distros when one > > suffices? Just start with a minimal CentOS install on your > > router/gateway and add only the packages that you know that you need. > > Any critical omission will evidence itself in short order and can be > > added then; or the source of the need removed as circumstance > > warrants. > >Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9 >on an old box that was nothing but a firewall router. I was seriously >paranoid - no gcc or any development tools, no X, not much of anything. To >the best of my knowledge, we never had a breakin. > >I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly >impressed. I mean, it seems ok, but the project is run in what I can only >describe as "amateur", in the worst sense of the word. The several >official developers release a build, and you can choose which one of >who's; people on the mailing list have "favorite builds", which is not a >phrase I have *ever* heard used with an o/s before, and I'm afraid to >update, as some of their "documentation" is out of date, or wrong. > >At some point, I may just get a PI, and run CentOS, or some >firewall/router distro, though that would mean not having WiFi for guests. > > markMark The WiFi solution I use still uses a Centos 6 firewall/router/gateway, but one of my inside devices is a WiFi router. Rather than doing double routing, I connect one of the WiFi's LAN connections via a switch to my Router via a switch, leaving the WiFi Router's WAN conection unused. That way, my gateway (and not the WiFi router) is the DHCP server, and can enforce whatever firewall rules I want to apply. No need to give up your guest WiFi if you stick with a Centos gateway. David
John R Pierce
2015-Jun-29 17:35 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 6/29/2015 7:43 AM, m.roth at 5-cent.us wrote:> At some point, I may just get a PI, and run CentOS, or some > firewall/router distro, though that would mean not having WiFi for guests.I'm using a UniFi AP for my wireless, actually, I have two of them at home for full coverage. it works SO much smoother than the consumer routers I'd tried before. the UniFi is a ceiling mount device that looks like a smoke detector, it gets its power from the ethernet wire (comes with the PoE injector), the two of them act as a single wireless access point, one at each end of my rather long house provides corner to corner coverage. -- john r pierce, recycling bits in santa cruz
Gordon Messmer
2015-Jun-29 17:40 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 06/29/2015 06:46 AM, Sorin Srbu wrote:> Even considering a minimal CentOS install, is that still less minimal than > e.g. Smoothwall or Ipcop?Yes, a minimal install of CentOS is probably larger (less minimal) than a specialized distribution.> In my world, security has a price and, and that might be the need to learn > another distro in order to minimize security issues (and maybe as in this > case minimize attack-surfaces).When all of your systems are one OS, you can more easily build an infrastructure that provides backups, security and bug fix updates, monitoring, etc for all of your systems. Specialized devices are often left out when admins set up infrastructure to provide those services for their primary systems. That's one way that a general purpose OS can be significantly better than a specialized OS.
ken
2015-Jun-30 12:58 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 06/29/2015 10:43 AM, m.roth at 5-cent.us wrote:> James B. Byrne wrote: >> On Mon, June 29, 2015 02:14, Sorin Srbu wrote: >> OS 6? >>> >>> Please note: I'm not criticizing, just curious about the argument >>> behind using a regular OS to do firewall-stuff. >> >> Maintenance. >> >> A consistent set of expectations does wonders for debugging odd-ball >> occurrences. Why learn the idiosyncrasies of two distros when one >> suffices? Just start with a minimal CentOS install on your >> router/gateway and add only the packages that you know that you need. >> Any critical omission will evidence itself in short order and can be >> added then; or the source of the need removed as circumstance >> warrants.Being a longtime RH/CentOS user recently flirting with debian, I have to agree. Another advantage to using a single distro across multiple machines is the ability to compare them (e.g., does this system system file have the same size and timestamp on all my systems?).> I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly > impressed. I mean, it seems ok, but the project is run in what I can only > describe as "amateur", in the worst sense of the word. The several > official developers release a build, and you can choose which one of > who's; people on the mailing list have "favorite builds", which is not a > phrase I have *ever* heard used with an o/s before, and I'm afraid to > update, as some of their "documentation" is out of date, or wrong.I agree on dd-wrt. Several docs and occasional forum postings say, "check the wiki." Other docs and forum postings say, "ignore the wiki, it's outdated." Finding the latest build is like an easter egg hunt. The whole project seemed to me to be very disorganized. Re: administration and docs again: My router's wifi radio seemed to go out one day (after a power outage). I couldn't connect to the router anymore via wifi. The lack of reliable docs made figuring out the settings a guessing game. And I didn't know what tools existed for diagnosing the hardware and software. I have to sympathize with the dd-wrt developers though. There are a lot of routers on the market. Most are vastly different in what hardware and features they have. And too, in most case (I'd think) they have docs from manufacturers, so have to reverse-engineer the code, and do this separately for dozens if not hundreds of routers on the market. Given these circumstances, it's amazing they've been able to do what they've done. Waxing further off-topic, a solution to this, IMO, would be something very much like a Raspberry Pi router: essentially an RPi with a half-dozen RJ45 ports. It would be nice to have the wifi built into it, but because these are country-specific, the wifi-radio would probably need to be a separate plug-in part. But having non-volatile memory on a card, as RPi's already have, would make testing and upgrading-- and also downgrading-- much easier and worry-free.> At some point, I may just get a PI, and run CentOS, or some > firewall/router distro, though that would mean not having WiFi for guests.When the radio on my wifi went out, I found it a simple matter to set up a secure wifi AP (using hostapd) on an RPi and plug it into an RJ45 on my router.> > mark