On Mon, June 29, 2015 02:14, Sorin Srbu wrote: OS 6?
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
Maintenance.
A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one suffices? Just start with a minimal CentOS install on your router/gateway and add only the packages that you know that you need. Any critical omission will evidence itself in short order and can be added then; or the source of the need removed as circumstance warrants.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of James B. Byrne Sent: den 29 juni 2015 15:10 To: CentOS mailing list Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
Maintenance.
A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one
suffices?
Just start with a minimal CentOS install on your router/gateway and add
only
the packages that you know that you need. Any critical omission will evidence itself in short order and can be added
then;
or the source of the need removed as circumstance warrants.
Sorry for OT.
Even considering a minimal CentOS install, is that still less minimal than e.g. Smoothwall or Ipcop? In my world, security has a price and, and that might be the need to learn another distro in order to minimize security issues (and maybe as in this case minimize attack-surfaces).
Still just curious about the arguments pro/con regular OS:s as firewall. 8-)
Am 29.06.2015 um 15:46 schrieb Sorin Srbu sorin.srbu@orgfarm.uu.se:
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
Maintenance.
A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one
suffices?
Just start with a minimal CentOS install on your router/gateway and add
only
the packages that you know that you need. Any critical omission will evidence itself in short order and can be added
then;
or the source of the need removed as circumstance warrants.
Sorry for OT.
Even considering a minimal CentOS install, is that still less minimal than e.g. Smoothwall or Ipcop? In my world, security has a price and, and that might be the need to learn another distro in order to minimize security issues (and maybe as in this case minimize attack-surfaces).
Still just curious about the arguments pro/con regular OS:s as firewall. 8-)
+1 - we use here for "all" the same distro because normally the most security holes are done by the configuration abilities of humans. to catch this effectively the distro is not a variable. Therefore I appreciate the great work of the "CentOS on ARM7"-team!
-- LF
On 06/29/2015 06:46 AM, Sorin Srbu wrote:
Even considering a minimal CentOS install, is that still less minimal than e.g. Smoothwall or Ipcop?
Yes, a minimal install of CentOS is probably larger (less minimal) than a specialized distribution.
In my world, security has a price and, and that might be the need to learn another distro in order to minimize security issues (and maybe as in this case minimize attack-surfaces).
When all of your systems are one OS, you can more easily build an infrastructure that provides backups, security and bug fix updates, monitoring, etc for all of your systems. Specialized devices are often left out when admins set up infrastructure to provide those services for their primary systems. That's one way that a general purpose OS can be significantly better than a specialized OS.
Am 29.06.2015 um 19:40 schrieb Gordon Messmer gordon.messmer@gmail.com:
On 06/29/2015 06:46 AM, Sorin Srbu wrote:
Even considering a minimal CentOS install, is that still less minimal than e.g. Smoothwall or Ipcop?
Yes, a minimal install of CentOS is probably larger (less minimal) than a specialized distribution.
our dedicated DNS systems are minimal without effort (234 packages / 1,1GB total), with more effort we could reduce it under 1GB (logfiles are included).
In my world, security has a price and, and that might be the need to learn another distro in order to minimize security issues (and maybe as in this case minimize attack-surfaces).
When all of your systems are one OS, you can more easily build an infrastructure that provides backups, security and bug fix updates, monitoring, etc for all of your systems. Specialized devices are often left out when admins set up infrastructure to provide those services for their primary systems. That's one way that a general purpose OS can be significantly better than a specialized OS.
+1
-- LF
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Gordon Messmer Sent: den 29 juni 2015 19:40 To: CentOS mailing list Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 06/29/2015 06:46 AM, Sorin Srbu wrote:
Even considering a minimal CentOS install, is that still less minimal than e.g. Smoothwall or Ipcop?
Yes, a minimal install of CentOS is probably larger (less minimal) than a specialized distribution.
In my world, security has a price and, and that might be the need to learn another distro in order to minimize security issues (and maybe as in this case minimize attack-surfaces).
When all of your systems are one OS, you can more easily build an infrastructure that provides backups, security and bug fix updates, monitoring, etc for all of your systems. Specialized devices are often
left out
when admins set up infrastructure to provide those services for their
primary
systems. That's one way that a general purpose OS can be significantly better than a specialized OS.
Those are good points, thanks.
I'm probably somewhat indoctrinated by the Smoothwall community and the thesis that an appliance like that, that only does one thing is really good at doing just that.
Thanks all for your thoughts on this!
James B. Byrne wrote:
On Mon, June 29, 2015 02:14, Sorin Srbu wrote: OS 6?
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
Maintenance.
A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one suffices? Just start with a minimal CentOS install on your router/gateway and add only the packages that you know that you need. Any critical omission will evidence itself in short order and can be added then; or the source of the need removed as circumstance warrants.
Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9 on an old box that was nothing but a firewall router. I was seriously paranoid - no gcc or any development tools, no X, not much of anything. To the best of my knowledge, we never had a breakin.
I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly impressed. I mean, it seems ok, but the project is run in what I can only describe as "amateur", in the worst sense of the word. The several official developers release a build, and you can choose which one of who's; people on the mailing list have "favorite builds", which is not a phrase I have *ever* heard used with an o/s before, and I'm afraid to update, as some of their "documentation" is out of date, or wrong.
At some point, I may just get a PI, and run CentOS, or some firewall/router distro, though that would mean not having WiFi for guests.
mark
On 6/29/2015 7:43 AM, m.roth@5-cent.us wrote:
At some point, I may just get a PI, and run CentOS, or some firewall/router distro, though that would mean not having WiFi for guests.
I'm using a UniFi AP for my wireless, actually, I have two of them at home for full coverage. it works SO much smoother than the consumer routers I'd tried before. the UniFi is a ceiling mount device that looks like a smoke detector, it gets its power from the ethernet wire (comes with the PoE injector), the two of them act as a single wireless access point, one at each end of my rather long house provides corner to corner coverage.
On 06/29/2015 10:43 AM, m.roth@5-cent.us wrote:
James B. Byrne wrote:
On Mon, June 29, 2015 02:14, Sorin Srbu wrote: OS 6?
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
Maintenance.
A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one suffices? Just start with a minimal CentOS install on your router/gateway and add only the packages that you know that you need. Any critical omission will evidence itself in short order and can be added then; or the source of the need removed as circumstance warrants.
Being a longtime RH/CentOS user recently flirting with debian, I have to agree. Another advantage to using a single distro across multiple machines is the ability to compare them (e.g., does this system system file have the same size and timestamp on all my systems?).
I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly impressed. I mean, it seems ok, but the project is run in what I can only describe as "amateur", in the worst sense of the word. The several official developers release a build, and you can choose which one of who's; people on the mailing list have "favorite builds", which is not a phrase I have *ever* heard used with an o/s before, and I'm afraid to update, as some of their "documentation" is out of date, or wrong.
I agree on dd-wrt. Several docs and occasional forum postings say, "check the wiki." Other docs and forum postings say, "ignore the wiki, it's outdated." Finding the latest build is like an easter egg hunt. The whole project seemed to me to be very disorganized.
Re: administration and docs again: My router's wifi radio seemed to go out one day (after a power outage). I couldn't connect to the router anymore via wifi. The lack of reliable docs made figuring out the settings a guessing game. And I didn't know what tools existed for diagnosing the hardware and software.
I have to sympathize with the dd-wrt developers though. There are a lot of routers on the market. Most are vastly different in what hardware and features they have. And too, in most case (I'd think) they have docs from manufacturers, so have to reverse-engineer the code, and do this separately for dozens if not hundreds of routers on the market. Given these circumstances, it's amazing they've been able to do what they've done.
Waxing further off-topic, a solution to this, IMO, would be something very much like a Raspberry Pi router: essentially an RPi with a half-dozen RJ45 ports. It would be nice to have the wifi built into it, but because these are country-specific, the wifi-radio would probably need to be a separate plug-in part. But having non-volatile memory on a card, as RPi's already have, would make testing and upgrading-- and also downgrading-- much easier and worry-free.
At some point, I may just get a PI, and run CentOS, or some firewall/router distro, though that would mean not having WiFi for guests.
When the radio on my wifi went out, I found it a simple matter to set up a secure wifi AP (using hostapd) on an RPi and plug it into an RJ45 on my router.
mark
-
Gordon Messmer -
James B. Byrne -
John R Pierce -
ken -
Leon Fauster -
m.roth@5-cent.us -
Sorin Srbu