OT: ADSL safe practices and setting up a home network
Guy Fraser
guy at incentre.net
Mon Apr 17 19:55:15 UTC 2006
On Fri, 2006-14-04 at 11:01 -0700, Wolfgang S. Rupprecht wrote:
> Eugen Leitl <eugen at leitl.org> writes:
> > 200 MHz MIPSel with 32 MBytes RAM is underpowered for a residential
> > firewall? Only for most extreme P2P users. If it sucks you're running
> > the wrong firmware.
>
> I guess I could have worded it a bit differently because a 200Mhz risc
> would indeed have been quite fast just a short while ago. I was just
> trying to say that given the choice of running what amounts to the
> same code on a 200Mhz clockrate ARM risc chip or a 2Ghz (or more) x86,
> the x86 is going to win.
>
> I regularly do rdists to unify the filesystems and to do periodic
> disk-to-disk backups. When a slow machine is in the middle of the
> transfer the rdist takes 2 or 3 hours. When it is on a switched
> 10/100/1000 ether it only takes 1 hour.
>
> > If it's underpowered, use a 266 MHz soekris or wrap board with 128 MBytes --
> > and add swap space, if you must. If it's *still* underpowered, take a
> > mini-ITX Eden, booting from compact flash.
>
> The openbsd folks tried using a soekris as a router and were very
> frustrated at how slowly the resulting router worked. Perhaps things
> have changed.
>
> >> fedora does. Why not run the firewall on a more powerful box like
> >> your main computer?
> >
> > Because a software firewall is complementary to an external
> > firewall. You could risk running a rich environment behind
> > an external firewall without exposing your soft white underbelly
> > to the net badness -- but arguably you should run a tight
> > ship nevertheless. Notice that a software firewall can
> > in principle know which application is using which port -- which
> > an external firewall wouldn't know.
>
> For years (long before those router NAT boxes were on the market) I
> started putting two ethernet cards in my "main" machine. The
> internet-facing card was heavily firewalled with only ssh, www, smtp
> and dns allowed in. The other was essentially open and went to the
> local net. This was the same topology as the consumer firewall, but
> allowed for more featureful firewalling. One thing you can't do in a
> consumer box is load it with a 2,000 element block list. You also
> can't change the blocklist at runtime (at least not easily) via a cron
> task that periodically checks your logfiles and sees who is up to no
> good. It is really handy to put any abusive IP or network into the
> list for a 90 day "chill-out" timeout. (I use this to block mostly
> Chinese and Brazilian email spambots that otherwise would hammer my
> smtp and www server and for dealing with folks that hammer my ssh
> trying to guess passwords.)
Most of these issues can be argued in different directions.
If you need a router for a small home or office a broadband
router should suffice.
If you need a hard core router, I would suggest Cisco or other
similar products. I have used Linux machines as routers in the
past, and it worked quite well, but they are far less efficient
that dedicated hardware routers. The main advantage of using
a Linux/BSD machine as a router is that you can customize the
features at will, and buy off the shelf components to build
and repair it. Some other disadvantages of using a Linux/BSD
machine as a router are the hard drive and relative storage
and power consumption requirements.
Even a good hardware firewall for home or SOHO use costs
less than most new PC's. If you have an old machine kicking
around it might be worth a try, but properly hardening and
configuring a Linux/BSD machine as a firewall is not for
anyone without plenty of experience.
More information about the fedora-list
mailing list