CentOS - Jun 2015 - Using a CentOS 6 Machine as a gateway/router/home server

On Mon, June 29, 2015 02:14, Sorin Srbu wrote:
OS 6?
>
> Please note: I'm not criticizing, just curious about the argument
> behind using a regular OS to do firewall-stuff.
>
Maintenance.

A consistent set of expectations does wonders for debugging odd-ball
occurrences.  Why learn the idiosyncrasies of two distros when one
suffices?  Just start with a minimal CentOS install on your
router/gateway and add only the packages that you know that you need.
Any critical omission will evidence itself in short order and can be
added then; or the source of the need removed as circumstance
warrants.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of James B. Byrne
> Sent: den 29 juni 2015 15:10
> To: CentOS mailing list
> Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home
> server
> 
> 
> > Please note: I'm not criticizing, just curious about the argument
> > behind using a regular OS to do firewall-stuff.
> >
> 
> Maintenance.
> 
> A consistent set of expectations does wonders for debugging odd-ball
> occurrences.  Why learn the idiosyncrasies of two distros when one
suffices?
> Just start with a minimal CentOS install on your router/gateway and add
only
> the packages that you know that you need.
> Any critical omission will evidence itself in short order and can be added
then;
> or the source of the need removed as circumstance warrants.
Sorry for OT.

Even considering a minimal CentOS install, is that still less minimal than
e.g. Smoothwall or Ipcop?
In my world, security has a price and, and that might be the need to learn
another distro in order to minimize security issues (and maybe as in this
case minimize attack-surfaces).

Still just curious about the arguments pro/con regular OS:s as firewall. 8-)

-- 
//Sorin

Am 29.06.2015 um 15:46 schrieb Sorin Srbu <sorin.srbu at
orgfarm.uu.se>:
>> 
>>> Please note: I'm not criticizing, just curious about the
argument
>>> behind using a regular OS to do firewall-stuff.
>>> 
>> 
>> Maintenance.
>> 
>> A consistent set of expectations does wonders for debugging odd-ball
>> occurrences.  Why learn the idiosyncrasies of two distros when one
> suffices?
>> Just start with a minimal CentOS install on your router/gateway and add
> only
>> the packages that you know that you need.
>> Any critical omission will evidence itself in short order and can be
added
> then;
>> or the source of the need removed as circumstance warrants.
> 
> Sorry for OT.
> 
> Even considering a minimal CentOS install, is that still less minimal than
> e.g. Smoothwall or Ipcop?
> In my world, security has a price and, and that might be the need to learn
> another distro in order to minimize security issues (and maybe as in this
> case minimize attack-surfaces).
> 
> Still just curious about the arguments pro/con regular OS:s as firewall.
8-)


+1 - we use here for "all" the same distro because normally the most
security holes are
done by the configuration abilities of humans. to catch this effectively the
distro is
not a variable. Therefore I appreciate the great work of the "CentOS on
ARM7"-team!

--
LF

James B. Byrne wrote:
> On Mon, June 29, 2015 02:14, Sorin Srbu wrote:
> OS 6?
>>
>> Please note: I'm not criticizing, just curious about the argument
>> behind using a regular OS to do firewall-stuff.
>
> Maintenance.
>
> A consistent set of expectations does wonders for debugging odd-ball
> occurrences.  Why learn the idiosyncrasies of two distros when one
> suffices?  Just start with a minimal CentOS install on your
> router/gateway and add only the packages that you know that you need.
> Any critical omission will evidence itself in short order and can be
> added then; or the source of the need removed as circumstance
> warrants.
Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9
on an old box that was nothing but a firewall router. I was seriously
paranoid - no gcc or any development tools, no X, not much of anything. To
the best of my knowledge, we never had a breakin.

I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly
impressed. I mean, it seems ok, but the project is run in what I can only
describe as "amateur", in the worst sense of the word. The several
official developers release a build, and you can choose which one of
who's; people on the mailing list have "favorite builds", which is
not a
phrase I have *ever* heard used with an o/s before, and I'm afraid to
update, as some of their "documentation" is out of date, or wrong.

At some point, I may just get a PI, and run CentOS, or some
firewall/router distro, though that would mean not having WiFi for guests.

       mark

At 07:43 AM 6/29/2015, you wrote:
>James B. Byrne wrote:
> > On Mon, June 29, 2015 02:14, Sorin Srbu wrote:
> > OS 6?
> >>
> >> Please note: I'm not criticizing, just curious about the
argument
> >> behind using a regular OS to do firewall-stuff.
> >
> > Maintenance.
> >
> > A consistent set of expectations does wonders for debugging odd-ball
> > occurrences.  Why learn the idiosyncrasies of two distros when one
> > suffices?  Just start with a minimal CentOS install on your
> > router/gateway and add only the packages that you know that you need.
> > Any critical omission will evidence itself in short order and can be
> > added then; or the source of the need removed as circumstance
> > warrants.
>
>Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9
>on an old box that was nothing but a firewall router. I was seriously
>paranoid - no gcc or any development tools, no X, not much of anything. To
>the best of my knowledge, we never had a breakin.
>
>I'm running DD-WRT on an ASUS router these days, and I'm *NOT*
wildly
>impressed. I mean, it seems ok, but the project is run in what I can only
>describe as "amateur", in the worst sense of the word. The several
>official developers release a build, and you can choose which one of
>who's; people on the mailing list have "favorite builds",
which is not a
>phrase I have *ever* heard used with an o/s before, and I'm afraid to
>update, as some of their "documentation" is out of date, or wrong.
>
>At some point, I may just get a PI, and run CentOS, or some
>firewall/router distro, though that would mean not having WiFi for guests.
>
>        mark
Mark
The WiFi solution I use still uses a Centos 6 
firewall/router/gateway, but one of my inside devices is a WiFi 
router.  Rather than doing double routing, I connect one of the 
WiFi's LAN connections via a switch to my Router via a switch, 
leaving the WiFi Router's WAN conection unused.  That way, my gateway 
(and not the WiFi router) is the DHCP server, and can enforce 
whatever firewall rules I want to apply.

No need to give up your guest WiFi if you stick with a Centos gateway.

David

On 6/29/2015 7:43 AM, m.roth at 5-cent.us wrote:
> At some point, I may just get a PI, and run CentOS, or some
> firewall/router distro, though that would mean not having WiFi for guests.
I'm using a UniFi AP for my wireless, actually, I have two of them at 
home for full coverage.  it works SO much smoother than the consumer 
routers I'd tried before.    the UniFi is a ceiling mount device that 
looks like a smoke detector, it gets its power from the ethernet wire 
(comes with the PoE injector), the two of them act as a single wireless 
access point, one at each end of my rather long house provides corner to 
corner coverage.

-- 
john r pierce, recycling bits in santa cruz

On 06/29/2015 06:46 AM, Sorin Srbu wrote:
> Even considering a minimal CentOS install, is that still less minimal than
> e.g. Smoothwall or Ipcop?
Yes, a minimal install of CentOS is probably larger (less minimal) than 
a specialized distribution.
> In my world, security has a price and, and that might be the need to learn
> another distro in order to minimize security issues (and maybe as in this
> case minimize attack-surfaces).
When all of your systems are one OS, you can more easily build an 
infrastructure that provides backups, security and bug fix updates, 
monitoring, etc for all of your systems.  Specialized devices are often 
left out when admins set up infrastructure to provide those services for 
their primary systems.  That's one way that a general purpose OS can be 
significantly better than a specialized OS.

On 06/29/2015 10:43 AM, m.roth at 5-cent.us wrote:
> James B. Byrne wrote:
>> On Mon, June 29, 2015 02:14, Sorin Srbu wrote:
>> OS 6?
>>>
>>> Please note: I'm not criticizing, just curious about the
argument
>>> behind using a regular OS to do firewall-stuff.
>>
>> Maintenance.
>>
>> A consistent set of expectations does wonders for debugging odd-ball
>> occurrences.  Why learn the idiosyncrasies of two distros when one
>> suffices?  Just start with a minimal CentOS install on your
>> router/gateway and add only the packages that you know that you need.
>> Any critical omission will evidence itself in short order and can be
>> added then; or the source of the need removed as circumstance
>> warrants.
Being a longtime RH/CentOS user recently flirting with debian, I have to 
agree.  Another advantage to using a single distro across multiple 
machines is the ability to compare them (e.g., does this system system 
file have the same size and timestamp on all my systems?).

> I'm running DD-WRT on an ASUS router these days, and I'm *NOT*
wildly
> impressed. I mean, it seems ok, but the project is run in what I can only
> describe as "amateur", in the worst sense of the word. The
several
> official developers release a build, and you can choose which one of
> who's; people on the mailing list have "favorite builds",
which is not a
> phrase I have *ever* heard used with an o/s before, and I'm afraid to
> update, as some of their "documentation" is out of date, or
wrong.
I agree on dd-wrt.  Several docs and occasional forum postings say, 
"check the wiki."  Other docs and forum postings say, "ignore the
wiki,
it's outdated."  Finding the latest build is like an easter egg hunt. 
The whole project seemed to me to be very disorganized.

Re: administration and docs again:  My router's wifi radio seemed to go 
out one day (after a power outage).  I couldn't connect to the router 
anymore via wifi.  The lack of reliable docs made figuring out the 
settings a guessing game.  And I didn't know what tools existed for 
diagnosing the hardware and software.

I have to sympathize with the dd-wrt developers though.  There are a lot 
of routers on the market.  Most are vastly different in what hardware 
and features they have.  And too, in most case (I'd think) they have 
docs from manufacturers, so have to reverse-engineer the code, and do 
this separately for dozens if not hundreds of routers on the market. 
Given these circumstances, it's amazing they've been able to do what 
they've done.

Waxing further off-topic, a solution to this, IMO, would be something 
very much like a Raspberry Pi router: essentially an RPi with a 
half-dozen RJ45 ports.  It would be nice to have the wifi built into it, 
but because these are country-specific, the wifi-radio would probably 
need to be a separate plug-in part.  But having non-volatile memory on a 
card, as RPi's already have, would make testing and upgrading-- and also 
downgrading-- much easier and worry-free.

> At some point, I may just get a PI, and run CentOS, or some
> firewall/router distro, though that would mean not having WiFi for guests.
When the radio on my wifi went out, I found it a simple matter to set up 
a secure wifi AP (using hostapd) on an RPi and plug it into an RJ45 on 
my router.



>
>         mark