At 07:43 AM 6/29/2015, you wrote:
James B. Byrne wrote:
On Mon, June 29, 2015 02:14, Sorin Srbu wrote: OS 6?
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
Maintenance.
A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one suffices? Just start with a minimal CentOS install on your router/gateway and add only the packages that you know that you need. Any critical omission will evidence itself in short order and can be added then; or the source of the need removed as circumstance warrants.
Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9 on an old box that was nothing but a firewall router. I was seriously paranoid - no gcc or any development tools, no X, not much of anything. To the best of my knowledge, we never had a breakin.
I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly impressed. I mean, it seems ok, but the project is run in what I can only describe as "amateur", in the worst sense of the word. The several official developers release a build, and you can choose which one of who's; people on the mailing list have "favorite builds", which is not a phrase I have *ever* heard used with an o/s before, and I'm afraid to update, as some of their "documentation" is out of date, or wrong.
At some point, I may just get a PI, and run CentOS, or some firewall/router distro, though that would mean not having WiFi for guests.
mark
Mark The WiFi solution I use still uses a Centos 6 firewall/router/gateway, but one of my inside devices is a WiFi router. Rather than doing double routing, I connect one of the WiFi's LAN connections via a switch to my Router via a switch, leaving the WiFi Router's WAN conection unused. That way, my gateway (and not the WiFi router) is the DHCP server, and can enforce whatever firewall rules I want to apply.
No need to give up your guest WiFi if you stick with a Centos gateway.
David
david wrote:
At 07:43 AM 6/29/2015, you wrote:
James B. Byrne wrote:
On Mon, June 29, 2015 02:14, Sorin Srbu wrote: OS 6?
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
Maintenance.
A consistent set of expectations does wonders for debugging odd-ball occurrences. Why learn the idiosyncrasies of two distros when one suffices? Just start with a minimal CentOS install on your router/gateway and add only the packages that you know that you need. Any critical omission will evidence itself in short order and can be added then; or the source of the need removed as circumstance warrants.
Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9 on an old box that was nothing but a firewall router. I was seriously paranoid - no gcc or any development tools, no X, not much of anything. To the best of my knowledge, we never had a breakin.
I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly impressed. I mean, it seems ok, but the project is run in what I can only describe as "amateur", in the worst sense of the word. The several official developers release a build, and you can choose which one of who's; people on the mailing list have "favorite builds", which is not a phrase I have *ever* heard used with an o/s before, and I'm afraid to update, as some of their "documentation" is out of date, or wrong.
At some point, I may just get a PI, and run CentOS, or some firewall/router distro, though that would mean not having WiFi for guests.
markMark The WiFi solution I use still uses a Centos 6 firewall/router/gateway, but one of my inside devices is a WiFi router. Rather than doing double routing, I connect one of the WiFi's LAN connections via a switch to my Router via a switch, leaving the WiFi Router's WAN conection unused. That way, my gateway (and not the WiFi router) is the DHCP server, and can enforce whatever firewall rules I want to apply.
No need to give up your guest WiFi if you stick with a Centos gateway.
Hmmm... that's a thought. On the other hand, for defence in depth, I'm sort of leary about using my own system as a firewall. As I noted, on my old firewall/router box, I had almost nothing. That's why I'm considering a PI....
mark
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us Sent: den 29 juni 2015 17:25 To: CentOS mailing list Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
The WiFi solution I use still uses a Centos 6 firewall/router/gateway, but one of my inside devices is a WiFi router. Rather than doing double routing, I connect one of the WiFi's LAN connections via a switch to my Router via a switch, leaving the WiFi Router's WAN conection unused. That way, my gateway (and not the WiFi router) is the DHCP server, and can enforce whatever firewall rules I want to apply.
No need to give up your guest WiFi if you stick with a Centos gateway.
Hmmm... that's a thought. On the other hand, for defence in depth, I'm
sort
of leary about using my own system as a firewall. As I noted, on my old firewall/router box, I had almost nothing. That's why I'm considering a
PI....
I used to use a similar solution at home with Smoothwall and an AP. Worked fine till the computer running Smoothwall died. Worked fine for home use. IDK if it would be a good solution in a "professional" environment as well, but scaled up of course.
On Mon, 2015-06-29 at 08:17 -0700, david wrote:
<snip>
Yup. For, um, about a dozen years, I ran RH 7.1,7.2, 7.3, and eventually 9 on an old box that was nothing but a firewall router. I was seriously paranoid - no gcc or any development tools, no X, not much of anything. To the best of my knowledge, we never had a breakin.
I'm running DD-WRT on an ASUS router these days, and I'm *NOT* wildly impressed. I mean, it seems ok, but the project is run in what I can only describe as "amateur", in the worst sense of the word. The several official developers release a build, and you can choose which one of who's; people on the mailing list have "favorite builds", which is not a phrase I have *ever* heard used with an o/s before, and I'm afraid to update, as some of their "documentation" is out of date, or wrong.
At some point, I may just get a PI, and run CentOS, or some firewall/router distro, though that would mean not having WiFi for guests.
markMark The WiFi solution I use still uses a Centos 6 firewall/router/gateway, but one of my inside devices is a WiFi router. Rather than doing double routing, I connect one of the WiFi's LAN connections via a switch to my Router via a switch, leaving the WiFi Router's WAN conection unused. That way, my gateway (and not the WiFi router) is the DHCP server, and can enforce whatever firewall rules I want to apply.
No need to give up your guest WiFi if you stick with a Centos gateway.
David
<snip>
I get good results with IPCop on an older box. I happened to already have my WAP set up, similar to David, with ethernet cable into my Netgear gigabit switch. But IPCop has a zone now for wifi and I could hook it into my IPCop and and get all it's benefits.
I haven't bothered because I'm in the boonies with little traffic, meaning less "drive-by" traffic/chance of someone trying to break in via that route, and my security key is very long and follows all the usual guidlines re case, numbers, etc. Everyone that I've authorized has had to attempt multiple times to finally get in, even me, until the device in use (IPHone, Android phone, Kindle Fire, ...) remembers a successful access completion.
I'm very pleased with IPCop - going on near a decade by now I guess.
MHO, Bill
I get good results with IPCop on an older box. I happened to already have my WAP set up, similar to David, with ethernet cable into my Netgear gigabit switch. But IPCop has a zone now for wifi and I could hook it into my IPCop and and get all it's benefits.
I haven't bothered because I'm in the boonies with little traffic, meaning less "drive-by" traffic/chance of someone trying to break in via that route, and my security key is very long and follows all the usual guidlines re case, numbers, etc. Everyone that I've authorized has had to attempt multiple times to finally get in, even me, until the device in use (IPHone, Android phone, Kindle Fire, ...) remembers a successful access completion.
I'm very pleased with IPCop - going on near a decade by now I guess.
MHO, Bill
OT but for firewalls I do lots of work with various flavors, I have pretty much settled on Pfsense, since I most of what I run is *nix based I like the fact that its BSD based. I have tired and tested lots of stuff and that is the one that I have settled on, use and support. Just something else to add to the list
-
Bill Maltby (C4B) -
david -
m.roth@5-cent.us -
Sorin Srbu -
Tom Bishop