On 04/03/15 15:10, James wrote:
Hello,
It's time to build a new router. Surely, I would just like to
purchase hardware and run a minimized or embedded gentoo on it
along with iptables and a few other packages. But, I got to reading
and well it seems much has changed. Dansguardian is deprecated?
If I add protection above layer 3, what is the best route (pun intended)
to protect some winblows systems? And I need the ability to dynamically
block some gaming sites (kids playing too many hours of video).
Then I read about NFtables... [1]
And there is more. So, being a bit busy what would folks recommend
for purchase (I really do not need another project at this time)?
I've used routers with ebtables in the past too.
I'd like to be able to download some open source linux to the router
hardware if updates and pathces are not maintained by the vendor?
That way I do not purchase something that is to be abandoned in
a few years by the vendor.
It's just a small home/office so 3x100Mb E would be fine, but GigE
ports would be better. I'm flexible on the CPU/arch of the hardware,
so all discussion and suggestions are welcome. In an idealized world
I'd pay extra for a gentoo_derivative based router; but all I find
is the WRT, devil_linux and such, nothing really cool and interesting.
Anyone used lilblue or pentoo as the basis for a firewalled_router?
A purchase is what I really want, but some hacking, if absolutely
necessary, would be ok too. Ideas?
curiously,
James
[1] http://netfilter.org/projects/nftables/
howdy
to get you started i'd really look at something dd-wrt. there's a lot
of features in there that is quite amazing.
for a lot of features like site blocking etc you might even consider a
sonicwall - at around €300 you can get something that will do what you
want including the site blocking.
however, i believe gentoo is the way forward for internet facing devices
because you can fully control every aspect of it and i am regularly
deploying gentoo routers.
you can go for something arm based, but i tend to favour jetway mini-atx
motherboards - they have daughter cards that clip into the main board
and are screwed down.
the main board will give you 2x gigabit nic, and the daughtercard will
give you an additional 3.
all in, 4GB memory, extra nics and a small disk, case and power you can
get for ~€400
it's intel atom and reasonalby quick - you can compile on it for example
and not have to wait a week for even small packages
nftables is going to be a beasty, but the netfilter crowd have already
released an iptables to nftables munger. i can see their point of
changing things - evolution just got too clunky
really consider going the gentoo-hardened route especially if you are
having ports open on the internet facing side
regarding software to install:
0. fail2ban for any internet facing ports
1. squid + squidGuard + downloaded lists + username/password allows you
to filter a great deal. really with kids though you want to consider
have whitelist acces only. i.e. you put in duolingo, wikipedia etc, it's
a pain to begin but then after you have all the requiremetns you know
they aren't accessign anything else. also consider distributing
wpad.dat for autoconfiguration of devices.
2. consider putting in freeradiusd as you can then go WPA2 enterprise -
sound like overkill but let s you do great things like limit kids _wifi_
access to an hour a day
3. munin + vnstat +sarg/awstats + other fun for graphing
4. you can even then use the device as a NAS and put snaps on there, let
the kids have readonly access to stuff and adults can make changes
5. can then start looking at vpn like services
for other things you might like to look at synology apps for DSM - they
have a NAS that is essentially a linux server with drop in apps --
mariadb, drupal all kinds of fun stuff and all (relatively) easy to do
in gentoo
happy hacking!
