[CentOS] Firewall frustration

Tue Jan 1 02:36:09 UTC 2008
Mark A. Lewis <mark at siliconjunkie.net>


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Mark Weaver
Sent: Monday, December 31, 2007 8:09 PM
To: centos at centos.org
Subject: Re: [CentOS] Firewall frustration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 31 Dec 2007 12:21:34 -0500
Robert Moskowitz <rgm at htt-consult.com> wrote:

> William L. Maltby wrote:
> > On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
> >   
> >> Peter Farrell wrote:
> >>     
> >>> "Problem is I want a REAL router/firewall with little work."
> >>>
> >>> Run a smoothwall installtion and replace your CentOS install.
> >>>
> >>> http://www.smoothwall.org/
> >>>   
> >>>       
> >> well first challenge is my unit's USB ethernet dongles. Centos uses

> >> the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 
> >> 8139, and 8169...
> >>     
> >
> > I've used this at home for years. I don't know if it's suitable, but

> > it seems *very* flexible. Allows for NAT or not, has typical zones, 
> > reporting, IPTables modification support, ...
> >
> >    http://www.ipcop.org/
> >
> > Has run/tested successfully on various configurations here. It's 
> > another "ditch your CentOS" solution though. But you can put it on 
> > any old junk laying around and it'ss probably work. Using cable 
> > modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz

> > pci gives <= 700MB/sec - both from decent sites. Tested using both 
> > ISA and PCI bus adapters through both twisted pair and thin coax.
> As I thought about things this morning, trying to put up smoothwall, I

> realized that one of my goals is to have a tool to turn a Centos 
> system that I am using for foo, into a firewall for bar for a day.  I 
> have Astaro for my serious firewall needs (see later post), but need 
> something 'portable'.  You see I have these plans with some small itx 
> systems....

have you considered linux that fits on a floppy disk?

http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/

http://www.linuxlinks.com/Distributions/Floppy/

http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut
ions/Tiny/Floppy_Sized/

get one running and configured and save to floppy... things go south
reboot the machine and everything is back. no hard drives to worry
about...

- --
Mark

"Drunkenness is not an excuse for stupidity. If you're stupid when
you're sober then that's one thing, but if you're sober when you're
stupid, then you're just plain stupid!"
============================================== Powered by CentOS5
(RHEL5)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT
Ez253XYLAOfSJS7u5ij36U4=
=jb20
-----END PGP SIGNATURE-----


I have this vision of a live CD that would come up and pull down it's
config via SCP or HTTPS and run. Or maybe a PGP encrypted file over
TFTP. No writable media in the machine at all, no access to write to the
configs, just a dumb device that knows where to get it's config. Any
compromise could be fixed with just a reboot, the config could even be
reloaded at some interval automatically, off machine logging, perhaps
even without an interface. You could more than likely go one step
further and use PXE to load everything over NFS or something, then you
are at no moving parts. Unfortunately, I have the ideas but not the
knowledge or time. In my opinion, this would be the ultimate evolution
of things like IP Cop and Smoothwall.

I want to say that monowall had this on the roadmap, but I haven't
looked lately. Appears someone has done some work on it:
http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html