Hello Walter, On Mon, 15 May 2017 09:22:54 +0200 "Walter H." <walter.h at mathemainzel.info> wrote:> On Sun, May 14, 2017 11:00, wwp wrote: > > On Sat, 13 May 2017 13:08:17 +0200 "Walter H." > > <Walter.H at mathemainzel.info> wrote: > > > >> On 13.05.2017 00:29, Robert Moskowitz wrote: > >> > I have been working, for the past few years, with armv7 SOCs and have > >> > a number of servers working. > >> > > >> > Intel, etal are catching up with ARM and I have seen ones like: > >> > > >> > https://www.aliexpress.com/item/NEW-Mini-pc-X86-4-Lan-Qotom-Q190G4N-with-celeron-J1900-quad-core-4-usb-VGA/32785346279.html > >> > > >> > > >> I would take something similar to this: > >> https://www.zotac.com/product/mini_pcs/zbox-ci323-nano > >> (for this zbox I can tell you, that it works with CentOS, as I have one > >> configured as firewall/router) > > > > This might become off-topic with my reply, but I'm curious: is there > > any specific software you're running from CentOS on your zbox in order > > to manage the rooter features? > SSH?I think I've been unclear, sorry about that! I wanted to ask if you use something, any helper installed on this rooter box, on top of firewalld/iptables, in order to setup and administrate the NAT/rooting (and eventually proxy) rules?> > I currently use, between my xDSL box and my LAN machines, an ATX-format > > box running a pretty old GNU/Linux system with a Jay's Firewall setup > > but I'd like to replace it w/ a fanless small barebone like the Zotac > > CI327: ... > this zbox has in comparison to the CI323 a different CPU, which I don't > know if this is supported by CentOS > (I didn't mention, that I use CentOS 6 ...)That's a good point to check, you're right, support for this CPU in either CentOS6 or 7. Regards, -- wwp -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170515/0e40875c/attachment-0001.sig>
On Mon, May 15, 2017 09:53, wwp wrote:> On Mon, 15 May 2017 09:22:54 +0200 "Walter H." > <walter.h at mathemainzel.info> wrote: > >> On Sun, May 14, 2017 11:00, wwp wrote: >> > On Sat, 13 May 2017 13:08:17 +0200 "Walter H." >> > <Walter.H at mathemainzel.info> wrote: >> > >> > This might become off-topic with my reply, but I'm curious: is there >> > any specific software you're running from CentOS on your zbox in order >> > to manage the rooter features? >> SSH? > > I think I've been unclear, sorry about that! I wanted to ask if you use > something, any helper installed on this rooter box, on top of > firewalld/iptables, in order to setup and administrate the NAT/rooting > (and eventually proxy) rules?I've configured it quite simple ... /etc/sysconfig/network_scripts: ifcfg-eth0 and ifcfg-wlan0 have this: BRIDGE=br0 ifcfg-br0 is LAN (Dual-Stack) ifcfg-eth1 is WAN (IPv4only) ifcfg-sit1 is an HE IPv6 tunnel (IPv6only) /etc/hostapd/hostapd.conf has this: interface=wlan0 bridge=br0 /etc/sysconfig/ip(6)tables have at the last lines this: # Log all other -A INPUT -j LOG --log-prefix "IP(v6)[IN]: " --log-level 7 -A FORWARD -j LOG --log-prefix "IP(v6)[FWD]: " --log-level 7 -A OUTPUT -j LOG --log-prefix "IP(v6)[OUT]: " --log-level 7 there runs a cronjob every hour, which sends an email like this: dmesg |grep -e "IP(v6)\[" |timefltr.pl for DNS a BIND is configured as caching DNS, and as authoritative master for my domain ... an Apache is configured only for some status pages like output of 'ifconfig', 'df', 'free', 'ip(6)tables -L -n -v', 'uptime' I programmed some simple network diagnostic: - traceroute(6) and ping(6) to a given dns/ip-host - nslookup of a given dns-name this is only reachable from LAN side; as I have a VM that runs a squid with SSL-interception, I made a mini-CA, the root is installed on my computers, one intermediate CA is used by squid, the other intermediate CA is used for signing a SSL certificate which I use on LAN side of my zbox or on my intranet (e.g. squirrel) to reach my squirrel, the apache does proxying ... when there is the need of changing firewall rules, I manually edit the files and reload ip(6)tables ... it is somewhat very individual, I'm thinking of sending SMS messages on special situations, e.g. the WAN IP address has changed (this happens about 2-3 times in a year) that's all
Hello Walter, On Tue, 16 May 2017 09:47:47 +0200 "Walter H." <walter.h at mathemainzel.info> wrote:> On Mon, May 15, 2017 09:53, wwp wrote: > > > On Mon, 15 May 2017 09:22:54 +0200 "Walter H." > > <walter.h at mathemainzel.info> wrote: > > > >> On Sun, May 14, 2017 11:00, wwp wrote: > >> > On Sat, 13 May 2017 13:08:17 +0200 "Walter H." > >> > <Walter.H at mathemainzel.info> wrote: > >> > > >> > This might become off-topic with my reply, but I'm curious: is there > >> > any specific software you're running from CentOS on your zbox in order > >> > to manage the rooter features? > >> SSH? > > > > I think I've been unclear, sorry about that! I wanted to ask if you use > > something, any helper installed on this rooter box, on top of > > firewalld/iptables, in order to setup and administrate the NAT/rooting > > (and eventually proxy) rules? > > I've configured it quite simple ... > > /etc/sysconfig/network_scripts: > ifcfg-eth0 and ifcfg-wlan0 have this: BRIDGE=br0 > ifcfg-br0 is LAN (Dual-Stack) > ifcfg-eth1 is WAN (IPv4only) > ifcfg-sit1 is an HE IPv6 tunnel (IPv6only) > > /etc/hostapd/hostapd.conf has this: > interface=wlan0 > bridge=br0 > > /etc/sysconfig/ip(6)tables have at the last lines this: > > # Log all other > -A INPUT -j LOG --log-prefix "IP(v6)[IN]: " --log-level 7 > -A FORWARD -j LOG --log-prefix "IP(v6)[FWD]: " --log-level 7 > -A OUTPUT -j LOG --log-prefix "IP(v6)[OUT]: " --log-level 7 > > there runs a cronjob every hour, which sends an email > like this: > dmesg |grep -e "IP(v6)\[" |timefltr.pl > > for DNS a BIND is configured as caching DNS, and as authoritative master for > my domain ... > > an Apache is configured only for some status pages like output of > 'ifconfig', 'df', 'free', 'ip(6)tables -L -n -v', 'uptime' > > I programmed some simple network diagnostic: > - traceroute(6) and ping(6) to a given dns/ip-host > - nslookup of a given dns-name > > this is only reachable from LAN side; as I have a VM that runs a squid > with SSL-interception, I made a mini-CA, the root is installed on my > computers, > one intermediate CA is used by squid, the other intermediate CA is used > for signing a SSL certificate which I use on LAN side of my zbox or on my > intranet (e.g. squirrel) > > to reach my squirrel, the apache does proxying ... > > when there is the need of changing firewall rules, I manually edit the > files and reload ip(6)tables ... > > it is somewhat very individual, I'm thinking of sending SMS messages on > special situations, e.g. the WAN IP address has changed (this happens > about 2-3 times in a year) > > that's allThanks for all this! That will help for sure :-)! Regards, -- wwp -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170531/46911a61/attachment-0001.sig>