Hello Walter, On Tue, 16 May 2017 09:47:47 +0200 "Walter H." <walter.h at mathemainzel.info> wrote: > On Mon, May 15, 2017 09:53, wwp wrote: > > > On Mon, 15 May 2017 09:22:54 +0200 "Walter H." > > <walter.h at mathemainzel.info> wrote: > > > >> On Sun, May 14, 2017 11:00, wwp wrote: > >> > On Sat, 13 May 2017 13:08:17 +0200 "Walter H." > >> > <Walter.H at mathemainzel.info> wrote: > >> > > >> > This might become off-topic with my reply, but I'm curious: is there > >> > any specific software you're running from CentOS on your zbox in order > >> > to manage the rooter features? > >> SSH? > > > > I think I've been unclear, sorry about that! I wanted to ask if you use > > something, any helper installed on this rooter box, on top of > > firewalld/iptables, in order to setup and administrate the NAT/rooting > > (and eventually proxy) rules? > > I've configured it quite simple ... > > /etc/sysconfig/network_scripts: > ifcfg-eth0 and ifcfg-wlan0 have this: BRIDGE=br0 > ifcfg-br0 is LAN (Dual-Stack) > ifcfg-eth1 is WAN (IPv4only) > ifcfg-sit1 is an HE IPv6 tunnel (IPv6only) > > /etc/hostapd/hostapd.conf has this: > interface=wlan0 > bridge=br0 > > /etc/sysconfig/ip(6)tables have at the last lines this: > > # Log all other > -A INPUT -j LOG --log-prefix "IP(v6)[IN]: " --log-level 7 > -A FORWARD -j LOG --log-prefix "IP(v6)[FWD]: " --log-level 7 > -A OUTPUT -j LOG --log-prefix "IP(v6)[OUT]: " --log-level 7 > > there runs a cronjob every hour, which sends an email > like this: > dmesg |grep -e "IP(v6)\[" |timefltr.pl > > for DNS a BIND is configured as caching DNS, and as authoritative master for > my domain ... > > an Apache is configured only for some status pages like output of > 'ifconfig', 'df', 'free', 'ip(6)tables -L -n -v', 'uptime' > > I programmed some simple network diagnostic: > - traceroute(6) and ping(6) to a given dns/ip-host > - nslookup of a given dns-name > > this is only reachable from LAN side; as I have a VM that runs a squid > with SSL-interception, I made a mini-CA, the root is installed on my > computers, > one intermediate CA is used by squid, the other intermediate CA is used > for signing a SSL certificate which I use on LAN side of my zbox or on my > intranet (e.g. squirrel) > > to reach my squirrel, the apache does proxying ... > > when there is the need of changing firewall rules, I manually edit the > files and reload ip(6)tables ... > > it is somewhat very individual, I'm thinking of sending SMS messages on > special situations, e.g. the WAN IP address has changed (this happens > about 2-3 times in a year) > > that's all Thanks for all this! That will help for sure :-)! Regards, -- wwp -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170531/46911a61/attachment-0005.sig>