From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EDlEc-0004C5-DT for garchives@archives.gentoo.org; Fri, 09 Sep 2005 15:56:15 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j89FpRFS016812; Fri, 9 Sep 2005 15:51:27 GMT Received: from vms042pub.verizon.net (vms042pub.verizon.net [206.46.252.42]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j89Fk6rS027003 for ; Fri, 9 Sep 2005 15:46:07 GMT Received: from mail.joat.com ([71.114.131.89]) by vms042.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTPA id <0IMK00ARZ3Z30CG0@vms042.mailsrvcs.net> for gentoo-user@lists.gentoo.org; Fri, 09 Sep 2005 10:49:52 -0500 (CDT) Received: from localhost (cornholio.joat.com [127.0.0.1]) by mail.joat.com (Postfix) with ESMTP id D6659340B for ; Fri, 09 Sep 2005 11:49:50 -0400 (EDT) Received: from mail.joat.com ([127.0.0.1]) by localhost (cornholio [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30635-10 for ; Fri, 09 Sep 2005 11:49:30 -0400 (EDT) Received: from butthead (butthead.joat.com [192.168.0.10]) by mail.joat.com (Postfix) with ESMTP for ; Fri, 09 Sep 2005 11:49:30 -0400 (EDT) Date: Fri, 09 Sep 2005 11:49:31 -0400 From: "Dave Nebinger" Subject: Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios To: Message-id: <00ad01c5b556$1196af30$0a00a8c0@butthead> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Mailer: Microsoft Outlook Express 6.00.2900.2670 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal DomainKey-Signature: a=rsa-sha1; b=CMSJuoddcSRwxF7uhMdT4vkmUfmM9cbI6Qty42Nf3hexyAJ9PYHKViKooneARmuDYgd1wgEMO/pULDh7x9tSaFJR8FsfQxbrN7cPANrbOpkuwMBhWA/ohluUdaMu3SPbymhkJjDALS0hVnMma/2ElDOirDyLBes7sChPZVYXlRE=; c=nofws; d=joat.com; q=dns; s=selector1 X-Virus-Scanned: amavisd-new 2.3.2 (20050629) at joat.com References: X-Archives-Salt: 5d4cc5c2-78ef-4f3f-aa6f-0784193bef33 X-Archives-Hash: de0a6308e432c206d1a0a969685adb72 >> 3. Performance, over time, would drop down to a trickle. The >> only way to >> get it back up was to reboot the router. And since I didn't >> want to expose >> the admin interface to the world, that meant that I would >> have to wait till >> I was on-site to reboot it. > > Aahh, that's not on! I haven't noticed any such problem with mine. Are > you sure it wasn't an ISP throttling, or contention ratio issue? Well, it would be solved by a router reboot, so I don't think that it could be throttling or contention from the ISP side. I have noticed that there are times when, due to VCI/VPI errors on the ADSL line that sometimes retraining results in a significantly lower download/upload rate. When this happens I end up manually stopping/starting the ADSL card and that typically brings the throughput rate back up to where it should be. If I'm remote I just trigger a script that manages it for me (since the connection goes down in the process) and reconnect after the box reconnects itself. > Access > to netgear's remote web interface can be restricted to a particular IP > address/port number and you can also remotely reboot the rooter. This works if you have a known address that you're going to be coming from. But if you need to recycle the router and all you have access to is the hotspot at Starbucks, you're kinda limited (for good reasons ;-) > I understand that it can obtain an IP address, subnet mask, DNS server > addresses, and a gateway address if the ISP provides this information by > DHCP. To act as a DHCP server for the LAN it has to keep its own > routing tables, but I am not sure what it does with regards to DNS. I > believe that it keeps stuff in the local cache but don't know the size > of the cache. On the other hand it might just be passing all DNS > queries to the ISP's DNS servers? Ah, but my gentoo server uses a caching dns scheme, as well as providing naming services for boxen inside the network, both of which are not possible with the netgear box. >> 5. No DMZ support - everything plugged into the netgear box >> is 'exposed'. >> In my current gentoo gateway, I can and do severely limit >> traffic on the >> intranet side while being a little less controlling on the >> DMZ side. Should >> a penentration of the DMZ occur, I know that the line of >> demarcation between >> the DMZ and the intranet should protect my sensitive information. > > As I understand it, now you get the full DMZ facility for a complete > box/IP address. I think you're confusing the 'pass through' setup with a dmz. The pass through thing built into the netgear which they refer to as a DMZ just routes all traffic inbound to a specific box. This is useful in gaming where one wouldn't know or want to find all of the ports necessary to open to get a game to work through a firewall. For network terminology, however, the DMZ is a separate subnet from your primary intranet; each subnet can have multiple boxen residing in it. Most incoming traffic is routed to systems in the DMZ and does not go to the intranet subnet. You can't do this with the netgear without more hardware (i.e. a switch plugged into the dmz port of netgear that routes to different internal systems). >> 6. No ssh access, no ability to programmatically get >> information from the >> router, and other minor complaints. > > Yes, unfortunately there's no raw engine room access, just the http gui, > but for a simple network setup it should be OK. Agreed. For the average home network user I would say they should use a netgear or linksys or something - my setup is not typical and not for newbies ;-) >> In any case I ended up dumping netgear and running with a >> Sangoma ADSL card. >> All the benefits of using ADSL whilst including all the access and >> administration my gentoo box allows. > > That's for sure a more flexible self-determining approach, especially if > you have a complex network configuration. Well, I don't know if I'd call it complex. One powerful gentoo box running as gateway & server, a DMZ with smaller servers hosting internal and external services, and an intranet hosting gentoo & windows boxen. 8 to 10 boxen at any given time. > Q1. If I connect my Gentoo box on its own (stand alone) via a dialup > modem to the internet what's my internal iface and what is the external? That will be your ppp interface, a logical interface that should show up when you do the ifconfig after connecting. The internal interfaces will still be your ethernet cards and lo. > Q2. Can I run public services http/ftp/mail on the Gentoo box and in > parallel continue using it as a desktop (simultaneously)? How do I set > this up? How do I define my ifaces? Sure. Just emerge the services you want to run, configure them, then "rc-update add [service] default". That will bring the services up when the system boots. Gentoo & linux in general to not make a distinction between a desktop system and a server system, as in the Windows world. The same kernel is used, the same core set of software, etc. The only difference, as far as linux is concerned, is what processes are running. The part that will catch you, though, is the power of the box. If you're doing this on an old 386 you'll see the impact of running a web server on it immediately in the performance and swapping areas. If you're doing this on a newer P4 with plenty of extra memory, you won't notice the addition much at all. -- gentoo-user@gentoo.org mailing list