From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5EAB3138ACE for ; Sat, 7 Mar 2015 09:40:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 56E2DE0968; Sat, 7 Mar 2015 09:40:01 +0000 (UTC) Received: from uberouter3.guranga.net (unknown [81.19.48.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 27498E08AE for ; Sat, 7 Mar 2015 09:40:00 +0000 (UTC) Received: from [192.168.151.101] (unknown [88.210.154.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by uberouter3.guranga.net (Postfix) with ESMTPSA id 119C1745 for ; Sat, 7 Mar 2015 09:37:18 +0000 (GMT) Message-ID: <54FAC6ED.9070004@thegeezer.net> Date: Sat, 07 Mar 2015 09:37:49 +0000 From: thegeezer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] new linux router References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Archives-Salt: 460b5ec4-0ca6-4358-9b94-a6f878548390 X-Archives-Hash: 24c347c62735c1c681de5d4641b8612d On 04/03/15 15:10, James wrote: > Hello, > > It's time to build a new router. Surely, I would just like to > purchase hardware and run a minimized or embedded gentoo on it > along with iptables and a few other packages. But, I got to reading > and well it seems much has changed. Dansguardian is deprecated? > If I add protection above layer 3, what is the best route (pun intended) > to protect some winblows systems? And I need the ability to dynamically > block some gaming sites (kids playing too many hours of video)..... > > Then I read about NFtables....... [1] > And there is more. So, being a bit busy what would folks recommend > for purchase (I really do not need another project at this time)? > I've used routers with ebtables in the past too. > > > I'd like to be able to download some open source linux to the router > hardware if updates and pathces are not maintained by the vendor? > That way I do not purchase something that is to be abandoned in > a few years by the vendor. > > It's just a small home/office so 3x100Mb E would be fine, but GigE > ports would be better. I'm flexible on the CPU/arch of the hardware, > so all discussion and suggestions are welcome. In an idealized world > I'd pay extra for a gentoo_derivative based router; but all I find > is the WRT, devil_linux and such, nothing really cool and interesting. > > Anyone used lilblue or pentoo as the basis for a firewalled_router? > > A purchase is what I really want, but some hacking, if absolutely > necessary, would be ok too. Ideas? > > curiously, > James > > [1] http://netfilter.org/projects/nftables/ > > howdy to get you started i'd really look at something dd-wrt. there's a lot of features in there that is quite amazing. for a lot of features like site blocking etc you might even consider a sonicwall - at around €300 you can get something that will do what you want including the site blocking. however, i believe gentoo is the way forward for internet facing devices because you can fully control every aspect of it and i am regularly deploying gentoo routers. you can go for something arm based, but i tend to favour jetway mini-atx motherboards - they have daughter cards that clip into the main board and are screwed down. the main board will give you 2x gigabit nic, and the daughtercard will give you an additional 3. all in, 4GB memory, extra nics and a small disk, case and power you can get for ~€400 it's intel atom and reasonalby quick - you can compile on it for example and not have to wait a week for even small packages nftables is going to be a beasty, but the netfilter crowd have already released an iptables to nftables munger. i can see their point of changing things - evolution just got too clunky really consider going the gentoo-hardened route especially if you are having ports open on the internet facing side regarding software to install: 0. fail2ban for any internet facing ports 1. squid + squidGuard + downloaded lists + username/password allows you to filter a great deal. really with kids though you want to consider have whitelist acces only. i.e. you put in duolingo, wikipedia etc, it's a pain to begin but then after you have all the requiremetns you know they aren't accessign anything else. also consider distributing wpad.dat for autoconfiguration of devices. 2. consider putting in freeradiusd as you can then go WPA2 enterprise - sound like overkill but let s you do great things like limit kids _wifi_ access to an hour a day 3. munin + vnstat +sarg/awstats + other fun for graphing 4. you can even then use the device as a NAS and put snaps on there, let the kids have readonly access to stuff and adults can make changes 5. can then start looking at vpn like services for other things you might like to look at synology apps for DSM - they have a NAS that is essentially a linux server with drop in apps -- mariadb, drupal all kinds of fun stuff and all (relatively) easy to do in gentoo happy hacking!