Willie Wong wrote:
=) Willie is fine. "Mr. Wong" doesn't become me.
Willie it is then...
There is a problem with it I'll explain in a minute but first let me
ask if you are actually using your router to do something similar to
what I described?
[snip] reasoning about blocking only services by name
True. That's one question I've been wondering. Since I do *not*
actually have a FSV318 (like I said, I have a way lower end Netgear
router), I was wondering about what I saw in the manual. The page I
referred you to had a sample screen that says something akin to
"Clicking here enables ALL services for ALL local LAN addresses". (I
hope you know which screencap I am talking about.) So
1) Does such screen exist?
Yes, the manual you cited is for v1.4 by your message and my router is
running v2.4 so there may be some differences but there is such a page
yes. Your manual shows an `any' choice in the services box whereas I
only see a list of 11, no `any' choice. That isn't what we're
discussing but just added for reference....for my actual screen see:
http://www.jtan.com/~reader/exp/web_ready/dispimg.cgi
2) If it does, if you only enable OUTBOUND service for the two
computers you want, does it do the job?
I suspect it would, and yes there is the possibility to ALLOW on that
screen too. So one could turn it around and allow whatever machines I
want internet capable rather than denying the ones I don't.
But if you mean to disable services for the other 3. That does work, and
I've tried it now, but is the exact thing I called shakey.
Your further comments on that have caused me to clean up my thinking
about it a bit. And as you say the router/fw is already blocking all
incoming to those computers, since they are natted and no port
forwarding on those. I do have a port forwarded from the gentoo box for
ssh access.
[snip] cleaner thinking about what is really happening at the router.
[snip] discussion of doing it with gentoo box
=================
[An aside but sort of an answer to your diagram too]:
I got the netgear a couple of years ago to avoid doing what you laid out
with the gentoo box. Only then it was a lean mean install of openbsd on
an old x86 computer.
But I think the same draw back would apply eventually, that is, that it
is too labor intensive to keep up with updates, patches, noise heat etc
since I'd not want to use my main desktop (my gentoo box) in that
capacity since its not really wise to run a hardened firewall on a
production machine.
I'd end up setting up a second Gentoo box as very configurable FW or
really I'd probly install latest Openbsd and set it up as hardened and
highly configurable router/fw, using the NETGEAR as you describe.... as
a switch.
Its hard to argue with something the size of a medium book that
generates no heat or noise yet keeps all but the most dedicated of
script kiddies out of my network with ease. And need almost no attention.
==============
Getting back to other things that might be tried:
I'm thinking now, after you comments on the subject that blocking the
services would be all I need to do. I'm currently doing the isolating
by running a sw firewall called Kerio on each of the 3 machines.
That isn't much fun either and if kerio wasn't started or was turned off
the instant machine would be in harms way right away, as you mentioned
somewhere in your replies.
No telling how much internet access happens when running a bunch of
graphic manip programs. Probably not particualry dangerous but still
all those update mechanisms would only need someone with bad intent to
do harm with them.
I'm wondering now if there is a way to do something like setup a squid
proxy on the gentoo and somehow force any attemts to go online from the
3 isolated mchs, toward it?
Someone already mentioned squid and said it could not be forced but not
sure I understood what that meant.
But also if I were to set the gateway which is now the NETGEAR router,
to the gentoo box, wouldn't all outgoing traffic automatically head for
the gateway? Would they really need to be wired to a second nic?
Can the gentoo box be made to handle that local lan based traffic, and
head it toward the internet without a second nic and all?
My feeble understanding of setting a default gateway is that it then
becomes the only route used without setting static routes in the routing
table of the winboxes.
I intend to experiment with this a bit later, tracerouting different
setups and such.
--
gentoo-user@gentoo.org mailing list
