-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 21:36:09 -0500 "Mark A. Lewis" mark@siliconjunkie.net wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Mark Weaver Sent: Monday, December 31, 2007 8:09 PM To: centos@centos.org Subject: Re: [CentOS] Firewall frustration
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses
the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but
it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz
pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I
realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
have you considered linux that fits on a floppy disk?
http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
http://www.linuxlinks.com/Distributions/Floppy/
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut ions/Tiny/Floppy_Sized/
get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about...
Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT Ez253XYLAOfSJS7u5ij36U4= =jb20 -----END PGP SIGNATURE-----
I have this vision of a live CD that would come up and pull down it's config via SCP or HTTPS and run. Or maybe a PGP encrypted file over TFTP. No writable media in the machine at all, no access to write to the configs, just a dumb device that knows where to get it's config. Any compromise could be fixed with just a reboot, the config could even be reloaded at some interval automatically, off machine logging, perhaps even without an interface. You could more than likely go one step further and use PXE to load everything over NFS or something, then you are at no moving parts. Unfortunately, I have the ideas but not the knowledge or time. In my opinion, this would be the ultimate evolution of things like IP Cop and Smoothwall.
I want to say that monowall had this on the roadmap, but I haven't looked lately. Appears someone has done some work on it: http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html
I seem to remember there being distro ISO tools out there that allow one to roll their own distro, but for the life of me can't remember what it's called.
Anyway, if you're feeling ambitious you could load an OS, season to taste and then create your OS using the Live CD technology that's out there.
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)