[CentOS] Networking Question

Fri Nov 27 20:21:49 UTC 2015
Alice Wonder <alice at domblogger.net>

On 11/27/2015 11:56 AM, Gordon Messmer wrote:

> You're proposing that you set up hosts which are accessible by the
> internet (the least trusted zone) but don't have internet access to
> retrieve and apply security updates.  That's not a good idea at all.

It doesn't need access to Internet to retrieve updates, I mirror CentOS 
and EPEL via rsync locally on my network because it makes building 
packages in mock much faster.

I build LibreSSL for CentOS 7 and custom LAMP stack against it for 
CentOS 7. And I maintain my own media repository for ffmpeg and modern 
GStreamer packages, so that CentOS 7 for me has modern multimedia 
capabilities. So LAN mirrors are needed and exist, and updates don't 
have to come from remote server.

I probably should have mentioned that.

Part of the issue I'm currently having on my local network, the router I 
have seems to die if I try anything DNSSEC enforcing behind it, the 
caching nameserver in it just stops working.

So I have to run a recursive nameserver of my own on anything I want to 
validate with DNSSEC.

I know several consumer routers have had issues with security recently, 
and figured I'd just build a micro ATX to make my own, with DNSSEC 
enforcing recursive resolver and a mirror for CentOS + EPEL built in for 
my CentOS hosts on my network.

I can get a WAP for my home wireless needs (small, two laptops and my 
phone, but I have some range issues with consumer wifi router) and turn 
my existing wifi router into the wifi for guests, powering it off when I 
don't have guests.

I don't want to buy an expensive switch, this Intel card I potentially 
have an opportunity to get one for under $100 which is why I'm 
considering doing this.

-=- snip -=-

Port forwarding from B/C to A seems like it isn't the right way. Thanks.

 From Internet it's the only way, but that will probably just be an ssh 
port that is forwarded - my only purpose really is a place to put files 
I need to access when not at home (I don't like cloud storage for 
personal files, I understand why servers use it but for personal files, 
I don't like it, even encrypted I don't want snoops to have access to them.)

Sent my from my laptop, may not be able to respond timely