| View previous topic :: View next topic |
| Author |
Message |
chino_
Apprentice
Joined: 05 Apr 2004
Posts: 186
Location: /dev/random
|
 Posted: Wed Apr 07, 2004 5:42 pm Post subject: gentoo on router? |
 |
|
Hi,
I just ordered a small book-size pc, which I want to use as my router.
It uses a Via Eden CPU (800Mhz) and I run it then with 256megs or RAM and 40 gig hdd.
The structure looks like this:
| Code: |
I N T E R N E T
|
|
|
192.168.0.1
(router which I talk about) - - - - - DMZ
| (later maybe)
|
|
|
Switch
/ \
/ \
/ \
/ \
/ \
192.168.0.101 another gentoo box
gentoo laptop
|
Well, nothing exciting, but now the thing is: All of my boxes behind
the Router are running gentoo, but I am not sure what to use on my router.
A friend of mine has a similar structure on his home network, and he told me he uses
Trustix Secure Linux (TSL) -> www.trustix.net
It is a server based Distri which aims at only supplying needed packages for server use,
(like no X-Server, which I don`t need) and of these programs only versions that are tested
and proven to be most "stable and secure", like if a new version of a program has some
vulns, it is not added until the bug is fixed. (The "Secure" in the Distri-name comes from
using "secure" packages, but not from providing things like Stack execution protection and
such sort of things)
It uses swup (SoftWareUPdater) to update these packages.
I thought I also use this system, cause it seems to be a quite good solution to my problem.
The router-box will be arriving this week, and today I just thought of myself:
"Why not using gentoo-hardened on it?"
I mean, I would be be able to add Stack protection, SELinux and all kinds of software to even
harden my box much more, since it is connected to the internet. I don`t need many processes
running on my router, all I need is:
-sshd (for administration from my laptop, since the router itself has no keyboard and no monitor attached)
-firewall (iptables)
-an IDS System
-Snort
-ntp
-maybe some other services like samba (not sure yet)
All services should be only accessible from internal LAN, of course.
What do you think about it? Is gentoo-hardened a good choice of using it as a router-os?
I could also easily upgrade all software needed, it takes a bit more time, but when I set
the niceness of portage to let`s say 10, I think it shouldn`t be a problem of doing its job while
compiling.
btw: it is possible to install the box without SELinux, but add it later to the running system?
What do you think about it, is gentoo-hardened or Trustix better for this purpose, or another
Distribution?
I hope you can give me some hints on this,
cheers,
chino_ |
|
| Back to top |
|
 |
madchaz
l33t
Joined: 01 Jul 2003
Posts: 993
Location: Quebec, Canada
|
| Posted: Wed Apr 07, 2004 6:16 pm Post subject: |
|
|
honestly, I think it depends on how your connect
DSL is a pain because you get disconected now and then and I haven't personaly found a way to force it back up when that appens
gentoo is a good choice. Personaly, I use smoothwall as my firewall. Works great, nice litle web interface for adminsitration and the updates are a simple "download, browse on hd, send" to install. It even tells you on the page when a new one is avalable.
if you use gentoo, you can build your own iptable or use something like shorewall to automate the script.
I'd say, try them. try the one your friend sujested, try smoothwall (it,s worth a look at least) and if you aren't satisfied, try gentoo.
Another advantage with using gentoo is you could easily add it to a distcc farm. You said all your boxes are gentoo, so maybe also puting the portage tree on it and using it as your local rsync server would be a good idea. would save bandwidth to the main servers. if they all have the same CPU architecture, you could also use it as a central openmosix server and put all your other machines as nodes.
_________________
Someone asked me once if I suffered from mental illness. I told him I enjoyed every second of it.
www.madchaz.com A small candle of a website. As my lab specs on it. |
|
| Back to top |
|
|
chino_
Apprentice
Joined: 05 Apr 2004
Posts: 186
Location: /dev/random
|
| Posted: Fri Apr 09, 2004 3:06 pm Post subject: |
|
|
Yeah, I connect through DSL.
But it should`t be a problem to write a script that checks every minute if you are connected, if not it just reconnects...
I just downloaded smoothwall, and will give it at least a short try.
Although I really like the idea of having a complete gentoo environment 
Does anyone have gentoo-hardened on the router here? |
|
| Back to top |
|
|
irf2003
Veteran
Joined: 10 Sep 2003
Posts: 1078
|
| Posted: Fri Apr 09, 2004 5:27 pm Post subject: |
|
|
have a look at this wiki:
http://wiki.gentoo-portage.com/HOWTO_setup_a_home-server
the gentoo solution, is preferable of course.
as for smoothwall and the other like ripp offs, if I had
a deep pocket i will sue their a**ses off, for infriging the
GPL lincense.
the gentoo based solution provided in the wiki above should
be fine.
you may also want to consider http://www.ipcop.org
the 1.4 (it's still in beta) is based on lfs (linux from scratch)
this is one of the only mature, truly GPL, solutions out there,
and it's free as in free speech, and free beer.
you will have to build it (1.4 from cvs) yourself.
but, it is real good compared to the others.
having said the above, the ultimate solution, is a strictly
a gentoo one, as it will give you more flexibility to set
your gateway the way you want.
hth |
|
| Back to top |
|
|
chino_
Apprentice
Joined: 05 Apr 2004
Posts: 186
Location: /dev/random
|
| Posted: Fri Apr 09, 2004 6:23 pm Post subject: |
|
|
Thanks for that wiki link, pretty interesting!
Yes, I have heard of IPCop before, but using gentoo (hardened) really
is my fav right now
btw: Do you think that setting up a proxy (squid) is worth it? |
|
| Back to top |
|
|
irf2003
Veteran
Joined: 10 Sep 2003
Posts: 1078
|
| Posted: Sat Apr 10, 2004 8:34 am Post subject: |
|
|
| chino_ wrote: | Thanks for that wiki link, pretty interesting!
Yes, I have heard of IPCop before, but using gentoo (hardened) really
is my fav right now :)
btw: Do you think that setting up a proxy (squid) is worth it? |
yes it is well worth it, if you have many gentoo boxes on
your network squid will cache the distfiles, so subsequent
fetches will be from cache.
another thing, should you also have some windows boxes
these and their windows update consume a lot of bandwidth.
you can tweak squid into caching those windows update files.
and yet another thing, you can use to filter ads and other
objectionable contents (i'm using the following squid redirector
to filter contents http://adzapper.sourceforge.net)
my gateway runs ipcop 1.4b3, but planning to move
to a purely gentoo based gateway.
hth |
|
| Back to top |
|
|
chino_
Apprentice
Joined: 05 Apr 2004
Posts: 186
Location: /dev/random
|
| Posted: Sat Apr 10, 2004 9:32 am Post subject: |
|
|
Thanks for your input here.
I will also have 1-2 windows machines behind the router, so the caching would be
really great. (btw: does squid cache distfiles automatically for gentoo?)
Adzapper sounds nice too, I will see that I get this up and running at least for testing.
I like to hear that you want to switch away from IPCop to gentoo-only, makes me
feel like I also took a good way in using just gentoo
If you don`t mind: what is it exactly that draws you away from ipcop to gentoo? |
|
| Back to top |
|
|
irf2003
Veteran
Joined: 10 Sep 2003
Posts: 1078
|
| Posted: Sat Apr 10, 2004 1:09 pm Post subject: |
|
|
| chino_ wrote: | Thanks for your input here.
I will also have 1-2 windows machines behind the router, so the caching would be
really great. (btw: does squid cache distfiles automatically for gentoo?)
Adzapper sounds nice too, I will see that I get this up and running at least for testing.
I like to hear that you want to switch away from IPCop to gentoo-only, makes me
feel like I also took a good way in using just gentoo :)
If you don`t mind: what is it exactly that draws you away from ipcop to gentoo? |
yes distfiles are cached nicely, make sure all the machine
on the network are using the same mirrors.
i do emerge-webrsync, and the subsequent ones are really
from cache. the distfiles cache nicely too.
put these in our squid.conf file
| Code: |
refresh_pattern -i ^http://download\.windowsupdate\.com 2880 50% 999999 reload-into-ims
refresh_pattern -i ^http://www\.download\.windowsupdate\.com 2880 50% 999999 reload-into-ims
refresh_pattern -i ^http://download\.microsoft\.com/download/5/A/E/5AE9B581-0187-4A33-9759-39E4168B6958/*\.cab 2880 50% 999999 reload-into-ims
refresh_pattern -i ^http://*\.download\.windowsupdate\.com 2880 50% 999999 reload-into-ims
refresh_pattern -i ^http://wxpsp2\.windowsupdate\.microsoft\.com/isapi/pstream3\.dll/wxp/*\.psf 2880 50% 999999 reload-into-ims
refresh_pattern -i ^http://download\.microsoft\.com/download/ 2880 50% 999999 reload-into-ims
refresh_pattern -i exe$ 1440 50% 999999
refresh_pattern -i zip$ 1440 50% 999999
refresh_pattern -i tar\.gz$ 1440 50% 999999
refresh_pattern -i tgz$ 1440 50% 999999
refresh_pattern -i \.cab$ 0 50% 999999
refresh_pattern -i \.bz2$ 1440 50% 999999
refresh_pattern -i \.rar$ 1440 50% 999999
|
please note the windows update links may differ for you.
what i suggest that you do, is do a clean install of whatever
windows that is being used on your network.
after which, do a windows update, and look at the logs
to see what needs to be cached. never cache .cab files
unless you know exactly what it is, as this will bork
windowsupdate. also, some of the updates are "express"
so single them out, download the network install version
of these and deploy them by hand.
it is well worth caching windows update, since widows boxes
tend to go banana after a month(s)?? of heavy use, and a clean install is de rigueur in winblows land.
install
ipcop is great for building a quick dirty gateway.
but it does not fully meet my needs, i would like to have
postfix and spamassasin to handle all the mail.
also i would like to play with traffic shaping and bandwidth
limiting.
so it is easier to do such thing with gentoo, since one
would have built the system one self, and know how
everything is configured. also a gentoo system is much
easier to maintain in the long run.
hth |
|
| Back to top |
|
|
chino_
Apprentice
Joined: 05 Apr 2004
Posts: 186
Location: /dev/random
|
| Posted: Sun Apr 11, 2004 12:28 pm Post subject: |
|
|
Thanks for the details here. I will edit as needed and merge into my config.
It really feels good to have windows stuff cached, so the bandwidth is not used
up by stupid win-updates (I need if for emerge, hehe)
| irf2003 wrote: |
so it is easier to do such thing with gentoo, since one
would have built the system one self, and know how
everything is configured. also a gentoo system is much
easier to maintain in the long run.
hth |
Are you going to install a "normal" gentoo or a hardened version? |
|
| Back to top |
|
|
irf2003
Veteran
Joined: 10 Sep 2003
Posts: 1078
|
| Posted: Sun Apr 11, 2004 12:59 pm Post subject: |
|
|
| chino_ wrote: | Thanks for the details here. I will edit as needed and merge into my config.
It really feels good to have windows stuff cached, so the bandwidth is not used
up by stupid win-updates (I need if for emerge, hehe)
| irf2003 wrote: |
so it is easier to do such thing with gentoo, since one
would have built the system one self, and know how
everything is configured. also a gentoo system is much
easier to maintain in the long run.
hth |
Are you going to install a "normal" gentoo or a hardened version? |
will not be installing hardened gentoo, reason being, i would like
the gateway to join the local distcc farm.
also envisage running other services besides the gateway ones for the lan, and of course
"mprime (http://www.mersenne.org)", so as not to waste any
cpu cycles :-)
my setup will be as follows:
isp->router/FW->eth0->Gentoo gateway->eth1->switch->lan
hth |
|
| Back to top |
|
|
chino_
Apprentice
Joined: 05 Apr 2004
Posts: 186
Location: /dev/random
|
| Posted: Mon Apr 12, 2004 11:27 am Post subject: |
|
|
| Well, thanks for your time here, it really helped me! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
