> maccrawj wrote:
> Any *nix based appliance router is going to have the same features &
> capabilities assuming:
>
> 1. Software exists
> 2. sufficient RAM & ROM
> 3. powerful enough CPU
>
> What's made the linksys 54's and similar hardware from other vendors so
> popular that they have enough of all 3 for home or soho bandwidth levels.
Well, you covered your a** pretty good here ;) so I'll only say that it's a
matter of compiling/compilation, which features are present or not.
Besides that, I want a well working firewall, HTTP proxy with filtering
options, and Snort IDS on both Red and Green, which I don't believe a Linksys
x54 router offer.
But true, the linky is a nice device. Though, I suspect that the 54's are vulnerable to kernel injection. In plain English this means injection of whatever you can
imagine, and then some. It takes a reset (and a complete reconfiguration) to beat the consequences of a kernel injection.
However, what I'm looking for is a *noiseless* platform that can run firewall, proxy, and two instances of Snort (IDS) at the same time. I am running this as we speak,
but the noise is too much. That's why I'm wondering if one of the new 'webtops' could run this or not. The current system is an AMD K6 400MHz w/256 MB RAM, and it's
running smoothly. But what happens if I decide to go for one of the 'webtops' and insert a couple of USB NIC's???
At the moment I'm running IPcop (ipcop.org), which is somewhat nice, but it
also seems vulnerable to kernel injection.
Brian Weeden wrote:
If you are looking for a complete firewall, spam, malware solution check out
Astaro's Security gateway. They sell it as a hardware box for commercial
users but it's available for free as either a VMware appliance or a bootable
Linux Live type ISO that can be put on any old grey box:
http://www.astaro.com/our_products/astaro_security_gateway
Yeah, I know Astaro, and I both like the features and the UI very much.
But, unfortunately, Astaro wants to keep track of its users through registration data, so this is a no-go for me. I just don't like nor trust companies that wants to
brand their users on the forehead ;)
Despite being one of the most lawfull persons on this very planet, these days it seems hard to find a firewall/proxy that doesn't phone home, or have 'nice' eavesdropping
'features' built in from scratch - even in the Open Source community, shame, shame, shame. We're not all te**o*ists. I nail them, as I find them, period.
Right now I'm thinking of running either m0n0wall or PfSense directly from
CD-ROM due to *nix kernel injection issues.
Just in case if anyone shouldn't know what kernel injections are: In most cases it's your ISP injecting a tracking proggie into your_browser.exe or your O/S kernel. Nice.
I once caught my ISP redhanded. That's no ISP no more ;)
On other occations, it's either a hacker or an unknown intelligence service
that wants to eavesdrop on your IT communication.
Quite a nice scenario, as one not any longer knows if one is protecting one's
system from te**o*ist abuse/relay, or from investigating authorities. Bummer.
The only PC firewall that was able to do that kind of detection was bought up
by Symantec. And since then, they proudly removed this very feature.
Anyhow, not that I believe Astaro would be overkill for my home office, no way.
Only I don't feel comfortable with the hardwiring of registration data to
MAC/IP data.
I hope my straight talk about this subject is OK, as this list usually is about drilling right to the core of the problem. And please beware that the fancypants at
lists_insecure_org probably not yet are aware of the described vulnerabilities. If any of there is, they're just pathetic :D
Anyway, with e.g. PfSense, I could fall back to use my Asus T2P4 w/64MB RAM again (which has been spinning since 1995!, and only got 'archived' a few weeks ago due to
Snort memory issues).
Anyone have experience running m0n0wall/PfSense?
Thanks.
Best,
Soren
----
Brian
On Tue, Sep 16, 2008 at 6:00 PM, Soren <[EMAIL PROTECTED]> wrote:
Not yet, but I've set up a few of the 54 models for friends.
My reason for a stand alone system for firewalling, is that with my current
solution, I've had absolutely zero spam, trojans, spyware, and what have we
- for years. And I'd very much like to keep it that way.
I'll check out the alternative firmwares, there might be something
interesting. Thanks.
Best,
Soren
j m g wrote:
Have you looked at any of the dedicated firewall/routers out there
with 3rd party flashes?
tomato, dd-wrt, etc - Specifically the Linksys models?
On Mon, Sep 15, 2008 at 1:45 AM, Soren <[EMAIL PROTECTED]> wrote:
Looking back at the mid to late 90's at the HWG list, the major items
have
always been overclocking and getting the max out of whatever PC one might
have.
Much respect for, and MUCH fun about that! (at least I had a lot of fun
;)
Well, as my power bill keeps climbing, I am looking for different
solutions.
Currently, I am using old fashioned PC's for both firewalling and web
access:
1. Firewall: 400MHz AMD w/256 MB RAM
2. Workstation: 2 GHz Athlon XP w/1 GB RAM
Both are running *nix in different variants.
What I am seriously considering switching to, is:
1. A very small laptop solution for the firewall, e.g. one of the new
Atom
based laptops, with USB adaptors as second and third NICs. AMIbios is
preferred.
2. A *very* small and completely noiseless PC as a working system and for
internet access. Again, AMIbios is preferred.
Any thoughts?
1. At the moment my own thoughts are that one of the cheap, low powered
laptops could be close to ideal when it comes to policing the LAN access.
2. A 1 GHz Via passive cooled CPU could run *nix just nice from an
(external?) CD/DVD-ROM (ITX).
Or what?
Regarding 1), I have close to no experience with USB LAN adaptors - can
anyone please fill me in?
About 2), Does anyone on the list have any experience running ITX
computers
as a regular workstation, and/or with the O/S from an external CD drive?
I might emphasize, that since I went from Winblow$ to a *nix platform,
I've
had absolutely zero spam, adware, trojans, etc. in my M$ orifice
environment. Or I'm just completely unaware ;)
So, what are your thoughts about the above?
Would you consider it yourself?
Why?
Why not?
Any input is valid.
Thanks.
Best,
Soren
