CentOS - Jun 2015 - Using a CentOS 6 Machine as a gateway/router/home server

At 07:43 AM 6/29/2015, you wrote:
>James B. Byrne wrote:
> > On Mon, June 29, 2015 02:14, Sorin Srbu wrote:
> > OS 6?
> >>
> >> Please note: I'm not criticizing, just curious about the
argument
> >> behind using a regular OS to do firewall-stuff.
> >
> > Maintenance.
> >
> > A consistent set of expectations does wonders for debugging odd-ball
> > occurrences.  Why learn the idiosyncrasies of two distros when one
> > suffices?  Just start with a minimal CentOS install on your
> > router/gateway and add only the packages that you know that you need.
> > Any critical omission will evidence itself in short order and can be
> > added then; or the source of the need removed as circumstance
> > warrants.
>
>Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9
>on an old box that was nothing but a firewall router. I was seriously
>paranoid - no gcc or any development tools, no X, not much of anything. To
>the best of my knowledge, we never had a breakin.
>
>I'm running DD-WRT on an ASUS router these days, and I'm *NOT*
wildly
>impressed. I mean, it seems ok, but the project is run in what I can only
>describe as "amateur", in the worst sense of the word. The several
>official developers release a build, and you can choose which one of
>who's; people on the mailing list have "favorite builds",
which is not a
>phrase I have *ever* heard used with an o/s before, and I'm afraid to
>update, as some of their "documentation" is out of date, or wrong.
>
>At some point, I may just get a PI, and run CentOS, or some
>firewall/router distro, though that would mean not having WiFi for guests.
>
>        mark
Mark
The WiFi solution I use still uses a Centos 6 
firewall/router/gateway, but one of my inside devices is a WiFi 
router.  Rather than doing double routing, I connect one of the 
WiFi's LAN connections via a switch to my Router via a switch, 
leaving the WiFi Router's WAN conection unused.  That way, my gateway 
(and not the WiFi router) is the DHCP server, and can enforce 
whatever firewall rules I want to apply.

No need to give up your guest WiFi if you stick with a Centos gateway.

David

david wrote:
> At 07:43 AM 6/29/2015, you wrote:
>>James B. Byrne wrote:
>> > On Mon, June 29, 2015 02:14, Sorin Srbu wrote:
>> > OS 6?
>> >>
>> >> Please note: I'm not criticizing, just curious about the
argument
>> >> behind using a regular OS to do firewall-stuff.
>> >
>> > Maintenance.
>> >
>> > A consistent set of expectations does wonders for debugging
odd-ball
>> > occurrences.  Why learn the idiosyncrasies of two distros when one
>> > suffices?  Just start with a minimal CentOS install on your
>> > router/gateway and add only the packages that you know that you
need.
>> > Any critical omission will evidence itself in short order and can
be
>> > added then; or the source of the need removed as circumstance
>> > warrants.
>>
>>Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually
>> 9
>>on an old box that was nothing but a firewall router. I was seriously
>>paranoid - no gcc or any development tools, no X, not much of anything.
>> To
>>the best of my knowledge, we never had a breakin.
>>
>>I'm running DD-WRT on an ASUS router these days, and I'm *NOT*
wildly
>>impressed. I mean, it seems ok, but the project is run in what I can
only
>>describe as "amateur", in the worst sense of the word. The
several
>>official developers release a build, and you can choose which one of
>>who's; people on the mailing list have "favorite builds",
which is not a
>>phrase I have *ever* heard used with an o/s before, and I'm afraid
to
>>update, as some of their "documentation" is out of date, or
wrong.
>>
>>At some point, I may just get a PI, and run CentOS, or some
>>firewall/router distro, though that would mean not having WiFi for
>> guests.
>>
>>        mark
>
> Mark
> The WiFi solution I use still uses a Centos 6
> firewall/router/gateway, but one of my inside devices is a WiFi
> router.  Rather than doing double routing, I connect one of the
> WiFi's LAN connections via a switch to my Router via a switch,
> leaving the WiFi Router's WAN conection unused.  That way, my gateway
> (and not the WiFi router) is the DHCP server, and can enforce
> whatever firewall rules I want to apply.
>
> No need to give up your guest WiFi if you stick with a Centos gateway.
Hmmm... that's a thought. On the other hand, for defence in depth, I'm
sort of leary about using my own system as a firewall. As I noted, on my
old firewall/router box, I had almost nothing. That's why I'm
considering
a PI....

      mark

On Mon, 2015-06-29 at 08:17 -0700, david wrote:
> <snip>
> >
> >Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and
eventually 9
> >on an old box that was nothing but a firewall router. I was seriously
> >paranoid - no gcc or any development tools, no X, not much of anything.
To
> >the best of my knowledge, we never had a breakin.
> >
> >I'm running DD-WRT on an ASUS router these days, and I'm *NOT*
wildly
> >impressed. I mean, it seems ok, but the project is run in what I can
only
> >describe as "amateur", in the worst sense of the word. The
several
> >official developers release a build, and you can choose which one of
> >who's; people on the mailing list have "favorite builds",
which is not a
> >phrase I have *ever* heard used with an o/s before, and I'm afraid
to
> >update, as some of their "documentation" is out of date, or
wrong.
> >
> >At some point, I may just get a PI, and run CentOS, or some
> >firewall/router distro, though that would mean not having WiFi for
guests.
> >
> >        mark
> 
> Mark
> The WiFi solution I use still uses a Centos 6 
> firewall/router/gateway, but one of my inside devices is a WiFi 
> router.  Rather than doing double routing, I connect one of the 
> WiFi's LAN connections via a switch to my Router via a switch, 
> leaving the WiFi Router's WAN conection unused.  That way, my gateway 
> (and not the WiFi router) is the DHCP server, and can enforce 
> whatever firewall rules I want to apply.
> 
> No need to give up your guest WiFi if you stick with a Centos gateway.
> 
> David 
> <snip>
I get good results with IPCop on an older box. I happened to already
have my WAP set up, similar to David, with ethernet cable into my
Netgear gigabit switch. But IPCop has a zone now for wifi and I could
hook it into my IPCop and and get all it's benefits.

I haven't bothered because I'm in the boonies with little traffic,
meaning less "drive-by" traffic/chance of someone trying to break in
via
that route, and my security key is very long and follows all the usual
guidlines re case, numbers, etc. Everyone that I've authorized has had
to attempt multiple times to finally get in, even me, until the device
in use (IPHone, Android phone, Kindle Fire, ...) remembers a successful
access completion.

I'm very pleased with IPCop - going on near a decade by now I guess.

MHO,
Bill

> I get good results with IPCop on an older box. I happened to already
> have my WAP set up, similar to David, with ethernet cable into my
> Netgear gigabit switch. But IPCop has a zone now for wifi and I could
> hook it into my IPCop and and get all it's benefits.
>
> I haven't bothered because I'm in the boonies with little traffic,
> meaning less "drive-by" traffic/chance of someone trying to break
in via
> that route, and my security key is very long and follows all the usual
> guidlines re case, numbers, etc. Everyone that I've authorized has had
> to attempt multiple times to finally get in, even me, until the device
> in use (IPHone, Android phone, Kindle Fire, ...) remembers a successful
> access completion.
>
> I'm very pleased with IPCop - going on near a decade by now I guess.
>
> MHO,
> Bill
>
>
>
OT but for firewalls I do lots of work with various flavors, I have pretty
much settled on Pfsense, since I most of what I run is *nix based I like
the fact that its BSD based.  I have tired and tested lots of stuff and
that is the one that I have settled on, use and support.  Just something
else to add to the list

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of m.roth at 5-cent.us
> Sent: den 29 juni 2015 17:25
> To: CentOS mailing list
> Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home
> server
> 
> > The WiFi solution I use still uses a Centos 6 firewall/router/gateway,
> > but one of my inside devices is a WiFi router.  Rather than doing
> > double routing, I connect one of the WiFi's LAN connections via a
> > switch to my Router via a switch, leaving the WiFi Router's WAN
> > conection unused.  That way, my gateway (and not the WiFi router) is
> > the DHCP server, and can enforce whatever firewall rules I want to
> > apply.
> >
> > No need to give up your guest WiFi if you stick with a Centos gateway.
> 
> Hmmm... that's a thought. On the other hand, for defence in depth,
I'm
sort
> of leary about using my own system as a firewall. As I noted, on my old
> firewall/router box, I had almost nothing. That's why I'm
considering a
PI....

I used to use a similar solution at home with Smoothwall and an AP. Worked
fine till the computer running Smoothwall died.
Worked fine for home use. IDK if it would be a good solution in a
"professional" environment as well, but scaled up of course.

-- 
//Sorin