From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-amd64+bounces-13851-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 4AB6C138CBF
	for <garchives@archives.gentoo.org>; Mon, 16 Mar 2015 06:29:59 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id CCABDE0A96;
	Mon, 16 Mar 2015 06:29:49 +0000 (UTC)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 1ABA0E0A90
	for <gentoo-amd64@lists.gentoo.org>; Mon, 16 Mar 2015 06:29:43 +0000 (UTC)
Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <glga-gentoo-amd64@m.gmane.org>)
	id 1YXOWw-0004SY-Vm
	for gentoo-amd64@lists.gentoo.org; Mon, 16 Mar 2015 07:29:39 +0100
Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-amd64@lists.gentoo.org>; Mon, 16 Mar 2015 07:29:38 +0100
Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-amd64@lists.gentoo.org>; Mon, 16 Mar 2015 07:29:38 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-amd64@lists.gentoo.org
From: Duncan <1i5t5.duncan@cox.net>
Subject: [gentoo-amd64] Re: Machine recommendations?
Date: Mon, 16 Mar 2015 06:29:27 +0000 (UTC)
Message-ID: <pan$a7315$dcabe19b$8480de86$cdcd1b76@cox.net>
References: <pan$7879d$2b0e267e$cb85bb8f$b318d578@cox.net>
	<550348DC.8090708@asyr.hopto.org>
	<pan$8e150$c0d78952$594109e2$31b648c0@cox.net>
	<55042B23.6000207@asyr.hopto.org>
	<pan$f3f4b$d64ffc95$14d7f361$fcf6fbbc@cox.net>
	<550572A9.7080908@asyr.hopto.org>
	<CAFsiiUBJM9at08K44mPRAJeEaJAMs1_qU+o49H5G=MgkE4G-Uw@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-amd64@lists.gentoo.org>
List-Help: <mailto:gentoo-amd64+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-amd64+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-amd64+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-amd64.gentoo.org>
X-BeenThere: gentoo-amd64@lists.gentoo.org
Reply-to: gentoo-amd64@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net
User-Agent: Pan/0.140 (Chocolate Salty Balls; GIT 10ca3f5)
X-Archives-Salt: 78127110-d699-4a1e-8520-d46d5729607e
X-Archives-Hash: 46d1eafc205b1d086c757310eae0c7aa

Leonid Eremin posted on Sun, 15 Mar 2015 22:08:16 +0300 as excerpted:

> Why don't you look for something [like the 2-port mobo I have, LAN/WAN
> with a gigabit switch on the LAN side]? Of course, if you don't have
> some sophisticated routing rules which requires >=4 NICs.

I explained this in the original post, but it was long and admittedly 
people might have skimmed, so here it is again.

A big part of the whole /point/ of going amd64-based router, despite the 
expense and hassle over an old generic off-the-shelf, is that:

(a) I want to put gentoo on it, in part so I can easily play with per-
port firewalling/routing/traffic-shaping rules.  My current old Linksys 
WRT54GL running OpenWRT actually has the ability to configure each of the 
five ethernet ports (plus the wifi) separately, but I've not played with 
it much, in part because it's sufficiently different from my gentoo 
comfort zone that working with its config is like reading and writing a 
different language I don't really know, such that I'm constantly having 
to lookup stuff.

Which I'd be willing to do were I doing a bunch of openwrt, but for just 
the one router, it seems like a waste, and I have to look stuff up again 
every time I want to make a change because I never actually bothered 
learning it properly.

(b) From experience with the netbook, I know that even if it's gentoo, I 
won't keep up with it if I'm building everything separately for it.  
Thus, amd64 gentoo, so for many packages I can build once and binpkg 
install three times, to the new router, the main machine, and my new 
netbook, if/when I get one (that side of the thread hasn't gotten any 
hits, yet).


So, while I don't have specific rules for all the ports /yet/, for me at 
least, a good part of the whole point of bothering with an amd64 router 
instead of just doing off-the-shelf, is that I /can/ do specific rules 
for each port, and I want at least five ports (six would be better, two 
builtin and the quad-port, but five should do for now), plus a USB-
connected wifi expansion option should I choose to exercise it.

Things I already have in mind:

* I'd very much like to specifically route only VoIP stuff to the VoIP 
phone adapter, and keep it from accessing the rest of the LAN.  It's 
actually a proprietary adapter, tho I suspect it's running standard SIP-
based VoIP, setup such that it keeps an open connection to the VoIP 
server and thus can be contacted across the NAPT-based router/firewall, 
and I'd also very much like to log to what it's actually connecting, and 
eventually block pretty much everything but the main VoIP server it's 
connecting to.  (Sometimes it rings once but doesn't complete an inbound 
call.  I strongly suspect that's unfriendly VoIP probes from 
telemarketers, etc, that can't complete the call since they can't bridge 
the NAPT.  Getting more information and potentially blocking those would 
be nice.)

Of course as I said, my current router can do it, but working with its 
configuration is like trying to read/write a foreign language, so I've 
not bothered.

* The current firewalling is pretty simple NAPT based, with a bit of 
stateful for stuff like FTP.  That means pretty much all outgoing is 
allowed, only incoming really controlled in any way.  I want to be much 
stricter with outgoing.

* I'd like to be able to run simple outside-accessible servers, probably 
on the router itself since it's about the only thing on all the time, 
listening on some high port.  Nothing fancy, just enough to host 
individual files I can link to, etc.  Limiting access to particular IP 
ranges, on high-range ports I specify, etc, is planned.  That's why I 
said outside accessible, NOT publicly accessible.

* I have/had my current netbook setup such that I could run an ssh server 
on it when I wanted, allowing connections only from the main machine (via 
local-routed-only IP-address), on the LAN.  Since I deliberately didn't 
have anything particularly private on the netbook, I figured running the 
server on it was least-risk.  Of course it was private key authorization 
only, no password, as well, and not listening on the usual ssh port.  But 
I didn't have any specific rules on the router.  With the new router and 
new chromebook reimaged to gentoo, I plan on allowing only specific port 
to port ssh connections and blocking any others.  Accepting/routing only 
ssh connections to the main machine port from the netbook port, as well 
as by netbook LAN IP only, should give me enough additional security to 
feel comfortable running an ssh server on the main machine as well, so I 
can connect to it from the netbook.  Obviously I'd still only start it 
manually, when I expected to be using it, in ordered to avoid having it 
running all the time, for efficiency and security reasons both.

* That's four ports (wan, main, netbook, VoIP).  The fifth is guest, 
which I'll probably leave more open to the net, while strictly 
controlling what it can access on the LAN.  After all, I can add new 
permissions for port-to-port access to my main machine or netbook 
dynamically, if needed.

* The router itself should be reasonably capable of serving as a LAN 
print or storage server, should I decide to set it up as such, as long as 
I don't expect it to do everything at once.  And being constantly on will 
make it convenient for that.  Thus the chances of needing more ports for 
that goes down dramatically.

* Of course that's not including the possible USB-connected wifi, which 
could of course have its own separate rules enforced, potentially even 
with multiple virtual wifi networks.  But I'm old enough to appreciate 
the security and constancy of physically wired connections, so while I 
want to keep the wifi option open (which is easy to do with usb-connected 
wifi, even if I don't have an open PCIE slot), it's not one I plan to 
exercise immediately.  But if/when I do, I imagine I'll be pretty strict 
with the wired-lan connection rules for it, since I don't particularly 
trust wireless as I don't have the physical control of it that I do of 
wired connections.  I might setup a publicly accessible no-login, 
bandwidth-limited and possibly censorware limited internet connection, 
however, just because...

* Should I expand beyond that, or should I find real life changing such 
that I have a family's connections to secure and route as well, this 
experience will guide me as I expand.  Chances are they'll be way less 
concerned about security, and will be happy with general wifi internet 
access.  If I need more ethernet ports, I'll have to evaluate at that 
point whether I need a bigger router, or can simply hang a switch off one 
of the existing ports and shift roles and rules around to accomodate.  
What I'll be learning with this more limited setup will help.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman