Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios

["Dave Nebinger" <dnebinger@joat.com>]

>> 3. Performance, over time, would drop down to a trickle.  The
>> only way to
>> get it back up was to reboot the router.  And since I didn't
>> want to expose
>> the admin interface to the world, that meant that I would
>> have to wait till
>> I was on-site to reboot it.
>
> Aahh, that's not on!  I haven't noticed any such problem with mine.  Are
> you sure it wasn't an ISP throttling, or contention ratio issue?

Well, it would be solved by a router reboot, so I don't think that it could 
be throttling or contention from the ISP side.

I have noticed that there are times when, due to VCI/VPI errors on the ADSL 
line that sometimes retraining results in a significantly lower 
download/upload rate.  When this happens I end up manually stopping/starting 
the ADSL card and that typically brings the throughput rate back up to where 
it should be.  If I'm remote I just trigger a script that manages it for me 
(since the connection goes down in the process) and reconnect after the box 
reconnects itself.

> Access
> to netgear's remote web interface can be restricted to a particular IP
> address/port number and you can also remotely reboot the rooter.

This works if you have a known address that you're going to be coming from. 
But if you need to recycle the router and all you have access to is the 
hotspot at Starbucks, you're kinda limited (for good reasons ;-)

> I understand that it can obtain an IP address, subnet mask, DNS server
> addresses, and a gateway address if the ISP provides this information by
> DHCP.  To act as a DHCP server for the LAN it has to keep its own
> routing tables, but I am not sure what it does with regards to DNS.  I
> believe that it keeps stuff in the local cache but don't know the size
> of the cache.  On the other hand it might just be passing all DNS
> queries to the ISP's DNS servers?

Ah, but my gentoo server uses a caching dns scheme, as well as providing 
naming services for boxen inside the network, both of which are not possible 
with the netgear box.

>> 5. No DMZ support - everything plugged into the netgear box
>> is 'exposed'.
>> In my current gentoo gateway, I can and do severely limit
>> traffic on the
>> intranet side while being a little less controlling on the
>> DMZ side.  Should
>> a penentration of the DMZ occur, I know that the line of
>> demarcation between
>> the DMZ and the intranet should protect my sensitive information.
>
> As  I understand it, now you get the full DMZ facility for a complete
> box/IP address.

I think you're confusing the 'pass through' setup with a dmz.  The pass 
through thing built into the netgear which they refer to as a DMZ just 
routes all traffic inbound to a specific box.  This is useful in gaming 
where one wouldn't know or want to find all of the ports necessary to open 
to get a game to work through a firewall.

For network terminology, however, the DMZ is a separate subnet from your 
primary intranet; each subnet can have multiple boxen residing in it.  Most 
incoming traffic is routed to systems in the DMZ and does not go to the 
intranet subnet.  You can't do this with the netgear without more hardware 
(i.e. a switch plugged into the dmz port of netgear that routes to different 
internal systems).

>> 6. No ssh access, no ability to programmatically get
>> information from the
>> router, and other minor complaints.
>
> Yes, unfortunately there's no raw engine room access, just the http gui,
> but for a simple network setup it should be OK.

Agreed.  For the average home network user I would say they should use a 
netgear or linksys or something - my setup is not typical and not for 
newbies ;-)

>> In any case I ended up dumping netgear and running with a
>> Sangoma ADSL card.
>> All the benefits of using ADSL whilst including all the access and
>> administration my gentoo box allows.
>
> That's for sure a more flexible self-determining approach, especially if
> you have a complex network configuration.

Well, I don't know if I'd call it complex.  One powerful gentoo box running 
as gateway & server, a DMZ with smaller servers hosting internal and 
external services, and an intranet hosting gentoo & windows boxen.  8 to 10 
boxen at any given time.

> Q1. If I connect my Gentoo box on its own (stand alone) via a dialup
> modem to the internet what's my internal iface and what is the external?

That will be your ppp interface, a logical interface that should show up 
when you do the ifconfig after connecting.  The internal interfaces will 
still be your ethernet cards and lo.

> Q2. Can I run public services http/ftp/mail on the Gentoo box and in
> parallel continue using it as a desktop (simultaneously)?  How do I set
> this up?  How do I define my ifaces?

Sure.  Just emerge the services you want to run, configure them, then 
"rc-update add [service] default".  That will bring the services up when the 
system boots.

Gentoo & linux in general to not make a distinction between a desktop system 
and a server system, as in the Windows world.  The same kernel is used, the 
same core set of software, etc.  The only difference, as far as linux is 
concerned, is what processes are running.

The part that will catch you, though, is the power of the box.  If you're 
doing this on an old 386 you'll see the impact of running a web server on it 
immediately in the performance and swapping areas.  If you're doing this on 
a newer P4 with plenty of extra memory, you won't notice the addition much 
at all.

-- 
gentoo-user@gentoo.org mailing list