> -----Original Message----- > From: Dave Nebinger [mailto:[EMAIL PROTECTED] > Sent: 08 September 2005 21:27 > To: gentoo-user@lists.gentoo.org > Subject: Re: [gentoo-user] Re: iptables advice for stand > alone box under different usage scenarios > > > >> For the gentoo box to act as the router/gateway/hub, you > need more than > >> one ethernet card in the box. > > > > OK, but under the ADSL connection scenario (diagram A) I > already have a > > hardware router/gateway, so do I still need a two card > configuration? > > What > > I am trying to do is protect the Gentoo box from other > boxes in the LAN > > (behind the Netgear router), or when connected to the > Internet via dialup > > then protect it from other internet machines. > > Depends. Personnally I had little love for my netgear router > when it was in > place. I had a couple of issues: > > 1. Although my gentoo box allowed for externally-generated > syslog entries, > the netgear router (even though the gui suggested it would) would not > forward syslog messages to my gentoo box, so I missed out on > things like > knowing who was hitting the router.
I think that things have improved a lot since you last used netgear. The DG384 is now on version 2.10.22 of their embedded image firmware, which offers a lot more functionality than just a couple of years ago. It now offers VPN with Ipsec connectivity. Also, it can broadcast the logs on the LAN, or you can set a specific IP address to FWD them to. You can of course still use the http gui to see the logs, save them manually or have them emailed to you regularly, or when a warning/alarm is triggered. > 2. Could not find an easy way to extract the external IP > address from the > darn thing. My domain name is managed via dyndns.org, and I > only wanted to > trigger an update when an actual ip address change occurred. > It was either > that or tickle the dyndns.org system every few minutes so it > would update IP > address from the incoming connnection. I've got a fixed IP address so I didn't need this feature, but 'tickling' the dyndns.org is the default method (don't think that you can set the interval). It works like a client which logs on to the dyndns server and updates the IP address - not sure if it's more intelligent than just doing that every few minutes). > 3. Performance, over time, would drop down to a trickle. The > only way to > get it back up was to reboot the router. And since I didn't > want to expose > the admin interface to the world, that meant that I would > have to wait till > I was on-site to reboot it. Aahh, that's not on! I haven't noticed any such problem with mine. Are you sure it wasn't an ISP throttling, or contention ratio issue? Access to netgear's remote web interface can be restricted to a particular IP address/port number and you can also remotely reboot the rooter. > 4. DNS & DHCP - It still isn't clear to me how their DNS is > set up; although > it will act as the gateway for internal systems, I couldn't > tell if it was > using a caching DNS service or was just passing DNS queries > up the stream > for processing. DHCP gets managed by the router, so you have > little control > beyond designating the range to use for dynamic address assignments. I understand that it can obtain an IP address, subnet mask, DNS server addresses, and a gateway address if the ISP provides this information by DHCP. To act as a DHCP server for the LAN it has to keep its own routing tables, but I am not sure what it does with regards to DNS. I believe that it keeps stuff in the local cache but don't know the size of the cache. On the other hand it might just be passing all DNS queries to the ISP's DNS servers? > 5. No DMZ support - everything plugged into the netgear box > is 'exposed'. > In my current gentoo gateway, I can and do severely limit > traffic on the > intranet side while being a little less controlling on the > DMZ side. Should > a penentration of the DMZ occur, I know that the line of > demarcation between > the DMZ and the intranet should protect my sensitive information. As I understand it, now you get the full DMZ facility for a complete box/IP address. > 6. No ssh access, no ability to programmatically get > information from the > router, and other minor complaints. Yes, unfortunately there's no raw engine room access, just the http gui, but for a simple network setup it should be OK. > In any case I ended up dumping netgear and running with a > Sangoma ADSL card. > All the benefits of using ADSL whilst including all the access and > administration my gentoo box allows. That's for sure a more flexible self-determining approach, especially if you have a complex network configuration. Q1. If I connect my Gentoo box on its own (stand alone) via a dialup modem to the internet what's my internal iface and what is the external? Q2. Can I run public services http/ftp/mail on the Gentoo box and in parallel continue using it as a desktop (simultaneously)? How do I set this up? How do I define my ifaces? Thanks again for your advice, -- Regards, Mick -- gentoo-user@gentoo.org mailing list
