I pondered this ages ago and I'll ponder it again: Network gateway. Everyone's probably familiar with those little Linksys routers (or the Belkin or D-Link ones, or whatever) that you put between you and the evil Internet thing. Small, useless, but give you NAT to protect yourself at least. I've always had the belief that I could do better myself-- I'm not the only one, either, considering the prevalance of things like OpenWRT for Linksys WRT-54G.
Let's for the moment assume you have a multi-NIC (both wired and wireless) Ubuntu box instead, and consider what we can do with it. Note that this also applies to small embedded systems like the WRT-54G, if they have more hard disk space/memory; that sort of hardware could be packed into the same form factor, at higher premium of course (roughly $100 more). First off, let's outline a few things we know are explicitely possible. - Router - Switch (bridging NICs) - Wireless Access Point (hostap) - Firewall - NAT - DHCP - Proxy server - Transparent proxy server - Firewall can force routed packets on port 80 to local ports, and Squid can pick them up and forward them to any specific proxy server address - Any host of server software - Network security software (snort etc) Of these, we know we definitely want to run as a Router, with switching function, NAT, and DHCP. We'd also want wireless acces point, with WPA and all. Users would definitely want a firewall. A default full stateful firewall would be useful (iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ; iptables -A FORWARD -m state --state NEW -i !eth0 -j ACCEPT), as well as stateful on input (replace FORWARD with INPUT). More flexible controls -- port forwarding, UPnP, a DMZ, blocking specific outgoing port ranges -- would help power users. A caching transparent proxy server option would personally interest me. This would be Squid with transparent HTTP proxy, and a proxy setup that intercepts port 80 FORWARD requests and redirects them to localhost (iptables -t nat -A PREROUTING -i !eth0 -d !192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128). Squid could handle several gigabytes wide cache for the network. Another interesting thought about transparent proxy servers is you can give the user the option to add Dan's Guardian or any generic parent proxy (i.e. Websense) as a mandatory parent, meaning Squid has to traverse a content filter. In primary schools, this would satisfy regional regulations about properly controling students' access to questionable materials: The school supplies the service (Websense), and the students duck around the proxy configuration in IE (registry hack or Portable Firefox); the outgoing HTTP connection gets forced to proxy anyway, unless it's on a weird port (unlikely). I used to play with this stuff when I was 16, because I'd broke through the high school's proxy server and a week later was showing the teachers how this worked and also explaining some other stuff out there that let me counter this sort of attack (yeah I know, I did this all the time, they always let me get away with breaking their security systems over and over...). The last thing is, of course, apt-cacher, and configuring Apt (by automatic scanning of the local network, or adding mDNS, of course) to use it. These sort of things seem interesting to me. It would be rather unlikely that an end user would manually set up a 6 NIC + wifi desktop machine, designate eth0 as the WAN port, plug in their cable/dsl modem, and install "Ubuntu Network Gateway Edition" or whatnot; however it's also exceedingly unlikely an end user would download Ubuntu Netbook Edition for their laptop. What is likely is that, as with the Netbook version, hardware vendors would ship a mid-end $200 gateway with an advanced "Transparent Internet Accelerator" (caching proxy server) and "Transparent Parental Controls" using a 16GB SSD (SD card is like $25), 2 gigs of RAM ($20), and the typical i686-based hardware that i.e. a WRT-54G ships with ($60), totaling what, $105 at a glance, bulk manufacture orders being much less? Does anyone else want to join in on this thought experiment and consider what the administrative console would look like; what the end user would want; how to market it to manufacturers; how manufacturers would market it to end-users; etc? -- Ubuntu-devel-discuss mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
