On 11/27/2015 11:56 AM, Gordon Messmer wrote: > You're proposing that you set up hosts which are accessible by the > internet (the least trusted zone) but don't have internet access to > retrieve and apply security updates. That's not a good idea at all. It doesn't need access to Internet to retrieve updates, I mirror CentOS and EPEL via rsync locally on my network because it makes building packages in mock much faster. I build LibreSSL for CentOS 7 and custom LAMP stack against it for CentOS 7. And I maintain my own media repository for ffmpeg and modern GStreamer packages, so that CentOS 7 for me has modern multimedia capabilities. So LAN mirrors are needed and exist, and updates don't have to come from remote server. I probably should have mentioned that. Part of the issue I'm currently having on my local network, the router I have seems to die if I try anything DNSSEC enforcing behind it, the caching nameserver in it just stops working. So I have to run a recursive nameserver of my own on anything I want to validate with DNSSEC. I know several consumer routers have had issues with security recently, and figured I'd just build a micro ATX to make my own, with DNSSEC enforcing recursive resolver and a mirror for CentOS + EPEL built in for my CentOS hosts on my network. I can get a WAP for my home wireless needs (small, two laptops and my phone, but I have some range issues with consumer wifi router) and turn my existing wifi router into the wifi for guests, powering it off when I don't have guests. I don't want to buy an expensive switch, this Intel card I potentially have an opportunity to get one for under $100 which is why I'm considering doing this. -=- snip -=- Port forwarding from B/C to A seems like it isn't the right way. Thanks. From Internet it's the only way, but that will probably just be an ssh port that is forwarded - my only purpose really is a place to put files I need to access when not at home (I don't like cloud storage for personal files, I understand why servers use it but for personal files, I don't like it, even encrypted I don't want snoops to have access to them.) -- -=- Sent my from my laptop, may not be able to respond timely