| 1 |
Leonid Eremin posted on Sun, 15 Mar 2015 22:08:16 +0300 as excerpted: |
| 2 |
|
| 3 |
> Why don't you look for something [like the 2-port mobo I have, LAN/WAN |
| 4 |
> with a gigabit switch on the LAN side]? Of course, if you don't have |
| 5 |
> some sophisticated routing rules which requires >=4 NICs. |
| 6 |
|
| 7 |
I explained this in the original post, but it was long and admittedly |
| 8 |
people might have skimmed, so here it is again. |
| 9 |
|
| 10 |
A big part of the whole /point/ of going amd64-based router, despite the |
| 11 |
expense and hassle over an old generic off-the-shelf, is that: |
| 12 |
|
| 13 |
(a) I want to put gentoo on it, in part so I can easily play with per- |
| 14 |
port firewalling/routing/traffic-shaping rules. My current old Linksys |
| 15 |
WRT54GL running OpenWRT actually has the ability to configure each of the |
| 16 |
five ethernet ports (plus the wifi) separately, but I've not played with |
| 17 |
it much, in part because it's sufficiently different from my gentoo |
| 18 |
comfort zone that working with its config is like reading and writing a |
| 19 |
different language I don't really know, such that I'm constantly having |
| 20 |
to lookup stuff. |
| 21 |
|
| 22 |
Which I'd be willing to do were I doing a bunch of openwrt, but for just |
| 23 |
the one router, it seems like a waste, and I have to look stuff up again |
| 24 |
every time I want to make a change because I never actually bothered |
| 25 |
learning it properly. |
| 26 |
|
| 27 |
(b) From experience with the netbook, I know that even if it's gentoo, I |
| 28 |
won't keep up with it if I'm building everything separately for it. |
| 29 |
Thus, amd64 gentoo, so for many packages I can build once and binpkg |
| 30 |
install three times, to the new router, the main machine, and my new |
| 31 |
netbook, if/when I get one (that side of the thread hasn't gotten any |
| 32 |
hits, yet). |
| 33 |
|
| 34 |
|
| 35 |
So, while I don't have specific rules for all the ports /yet/, for me at |
| 36 |
least, a good part of the whole point of bothering with an amd64 router |
| 37 |
instead of just doing off-the-shelf, is that I /can/ do specific rules |
| 38 |
for each port, and I want at least five ports (six would be better, two |
| 39 |
builtin and the quad-port, but five should do for now), plus a USB- |
| 40 |
connected wifi expansion option should I choose to exercise it. |
| 41 |
|
| 42 |
Things I already have in mind: |
| 43 |
|
| 44 |
* I'd very much like to specifically route only VoIP stuff to the VoIP |
| 45 |
phone adapter, and keep it from accessing the rest of the LAN. It's |
| 46 |
actually a proprietary adapter, tho I suspect it's running standard SIP- |
| 47 |
based VoIP, setup such that it keeps an open connection to the VoIP |
| 48 |
server and thus can be contacted across the NAPT-based router/firewall, |
| 49 |
and I'd also very much like to log to what it's actually connecting, and |
| 50 |
eventually block pretty much everything but the main VoIP server it's |
| 51 |
connecting to. (Sometimes it rings once but doesn't complete an inbound |
| 52 |
call. I strongly suspect that's unfriendly VoIP probes from |
| 53 |
telemarketers, etc, that can't complete the call since they can't bridge |
| 54 |
the NAPT. Getting more information and potentially blocking those would |
| 55 |
be nice.) |
| 56 |
|
| 57 |
Of course as I said, my current router can do it, but working with its |
| 58 |
configuration is like trying to read/write a foreign language, so I've |
| 59 |
not bothered. |
| 60 |
|
| 61 |
* The current firewalling is pretty simple NAPT based, with a bit of |
| 62 |
stateful for stuff like FTP. That means pretty much all outgoing is |
| 63 |
allowed, only incoming really controlled in any way. I want to be much |
| 64 |
stricter with outgoing. |
| 65 |
|
| 66 |
* I'd like to be able to run simple outside-accessible servers, probably |
| 67 |
on the router itself since it's about the only thing on all the time, |
| 68 |
listening on some high port. Nothing fancy, just enough to host |
| 69 |
individual files I can link to, etc. Limiting access to particular IP |
| 70 |
ranges, on high-range ports I specify, etc, is planned. That's why I |
| 71 |
said outside accessible, NOT publicly accessible. |
| 72 |
|
| 73 |
* I have/had my current netbook setup such that I could run an ssh server |
| 74 |
on it when I wanted, allowing connections only from the main machine (via |
| 75 |
local-routed-only IP-address), on the LAN. Since I deliberately didn't |
| 76 |
have anything particularly private on the netbook, I figured running the |
| 77 |
server on it was least-risk. Of course it was private key authorization |
| 78 |
only, no password, as well, and not listening on the usual ssh port. But |
| 79 |
I didn't have any specific rules on the router. With the new router and |
| 80 |
new chromebook reimaged to gentoo, I plan on allowing only specific port |
| 81 |
to port ssh connections and blocking any others. Accepting/routing only |
| 82 |
ssh connections to the main machine port from the netbook port, as well |
| 83 |
as by netbook LAN IP only, should give me enough additional security to |
| 84 |
feel comfortable running an ssh server on the main machine as well, so I |
| 85 |
can connect to it from the netbook. Obviously I'd still only start it |
| 86 |
manually, when I expected to be using it, in ordered to avoid having it |
| 87 |
running all the time, for efficiency and security reasons both. |
| 88 |
|
| 89 |
* That's four ports (wan, main, netbook, VoIP). The fifth is guest, |
| 90 |
which I'll probably leave more open to the net, while strictly |
| 91 |
controlling what it can access on the LAN. After all, I can add new |
| 92 |
permissions for port-to-port access to my main machine or netbook |
| 93 |
dynamically, if needed. |
| 94 |
|
| 95 |
* The router itself should be reasonably capable of serving as a LAN |
| 96 |
print or storage server, should I decide to set it up as such, as long as |
| 97 |
I don't expect it to do everything at once. And being constantly on will |
| 98 |
make it convenient for that. Thus the chances of needing more ports for |
| 99 |
that goes down dramatically. |
| 100 |
|
| 101 |
* Of course that's not including the possible USB-connected wifi, which |
| 102 |
could of course have its own separate rules enforced, potentially even |
| 103 |
with multiple virtual wifi networks. But I'm old enough to appreciate |
| 104 |
the security and constancy of physically wired connections, so while I |
| 105 |
want to keep the wifi option open (which is easy to do with usb-connected |
| 106 |
wifi, even if I don't have an open PCIE slot), it's not one I plan to |
| 107 |
exercise immediately. But if/when I do, I imagine I'll be pretty strict |
| 108 |
with the wired-lan connection rules for it, since I don't particularly |
| 109 |
trust wireless as I don't have the physical control of it that I do of |
| 110 |
wired connections. I might setup a publicly accessible no-login, |
| 111 |
bandwidth-limited and possibly censorware limited internet connection, |
| 112 |
however, just because... |
| 113 |
|
| 114 |
* Should I expand beyond that, or should I find real life changing such |
| 115 |
that I have a family's connections to secure and route as well, this |
| 116 |
experience will guide me as I expand. Chances are they'll be way less |
| 117 |
concerned about security, and will be happy with general wifi internet |
| 118 |
access. If I need more ethernet ports, I'll have to evaluate at that |
| 119 |
point whether I need a bigger router, or can simply hang a switch off one |
| 120 |
of the existing ports and shift roles and rules around to accomodate. |
| 121 |
What I'll be learning with this more limited setup will help. |
| 122 |
|
| 123 |
-- |
| 124 |
Duncan - List replies preferred. No HTML msgs. |
| 125 |
"Every nonfree program has a lord, a master -- |
| 126 |
and if you use the program, he is your master." Richard Stallman |
Archives