OT: ADSL safe practices and setting up a home network

Fri Apr 14 18:01:51 UTC 2006

Eugen Leitl <eugen at leitl.org> writes:
> 200 MHz MIPSel with 32 MBytes RAM is underpowered for a residential
> firewall? Only for most extreme P2P users. If it sucks you're running
> the wrong firmware. 

I guess I could have worded it a bit differently because a 200Mhz risc
would indeed have been quite fast just a short while ago.  I was just
trying to say that given the choice of running what amounts to the
same code on a 200Mhz clockrate ARM risc chip or a 2Ghz (or more) x86,
the x86 is going to win.

I regularly do rdists to unify the filesystems and to do periodic
disk-to-disk backups.  When a slow machine is in the middle of the
transfer the rdist takes 2 or 3 hours.  When it is on a switched
10/100/1000 ether it only takes 1 hour.

> If it's underpowered, use a 266 MHz soekris or wrap board with 128 MBytes --
> and add swap space, if you must. If it's *still* underpowered, take a 
> mini-ITX Eden, booting from compact flash.

The openbsd folks tried using a soekris as a router and were very
frustrated at how slowly the resulting router worked.  Perhaps things
have changed.

>> fedora does.  Why not run the firewall on a more powerful box like
>> your main computer?
>
> Because a software firewall is complementary to an external
> firewall. You could risk running a rich environment behind
> an external firewall without exposing your soft white underbelly
> to the net badness -- but arguably you should run a tight
> ship nevertheless. Notice that a software firewall can
> in principle know which application is using which port -- which
> an external firewall wouldn't know.

For years (long before those router NAT boxes were on the market) I
started putting two ethernet cards in my "main" machine.  The
internet-facing card was heavily firewalled with only ssh, www, smtp
and dns allowed in.  The other was essentially open and went to the
local net.  This was the same topology as the consumer firewall, but
allowed for more featureful firewalling.  One thing you can't do in a
consumer box is load it with a 2,000 element block list.  You also
can't change the blocklist at runtime (at least not easily) via a cron
task that periodically checks your logfiles and sees who is up to no
good.  It is really handy to put any abusive IP or network into the
list for a 90 day "chill-out" timeout.  (I use this to block mostly
Chinese and Brazilian email spambots that otherwise would hammer my
smtp and www server and for dealing with folks that hammer my ssh
trying to guess passwords.)

-wolfgang
-- 
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/
Direct SIP URL Dialing: http://www.wsrcc.com/wolfgang/phonedirectory.html