Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
OS choice for home LAN servers/gateways...

By Justinfinity in Technology
Sat Nov 18, 2000 at 05:06:43 PM EST
Tags: Help! (Ask Kuro5hin) (all tags)
Help! (Ask Kuro5hin)

I finally have a second box of my own at home. :-) Now I have to decide what to install on it. I know I will be using either Linux or a BSD, but which one? Everyone has an opinion for boxes that will be doing a specific job, like OpenBSD for a dedicated firewall, for example. However, it's harder to pick a system for a box that will be doing/serving anything and everything.


If this box was just going to be a firewall, I'd definitely run OpenBSD. Code-auditing and pro-active security should be done by everyone, but I digress. If i was only running game servers I'd run Slackware, because most game servers will run on Linux and I know Slackware fairly well. I really need something to fill the whole range.

Now, I'm willing to spend a little time learning a new system (I know some of FreeBSD, OpenBSD and Debian, and most of Slackware), but I don't want to spend an extra month getting to know my firewall if I don't have to. The real question is, What is a happy medium? First off, I suck at making decisions, and second, I don't really know quite enough about each system to make the decision anyway. So if you all don't mind, lets talk about the pros and cons of a few of the different OSes most "geeks" would normally use for this job.

As an example, I have the choice of Slackware 7.1 (eventually tracking -current), Debian 2.2 (eventually tracking -stable), FreeBSD 4.1 (eventually tracking -stable), or OpenBSD 2.7 (i'm not sure how their "stable/unstable" system works, yet). These just happen to be the CDs I have in my posession right now.

The hardware is all fully supported by all the above OSes. I know because in a previous incarnation this same box has run them all. It consists of:
K6-2 500
64 MB PC100 SDRAM
4.3 GB + 800 MB HDD space
nVidia TNT video
SB16 PnP (does not need to be utilized)
Two Generic NE2K-PCI NICs
PS/2 mouse (USB capable, but not necessary)
One NIC will be going to the cable modem, the other will go to a hub for the rest of the LAN.

On the services side, the primary function will be a NAT gateway (using ipmasq?) as well as firewall (using ipfilter?). I'll also be running Apache (with at least mod_perl for scoop (I'm taking hurstdog's advice and using scoop as a learning tool for perl :-) )) and sshd and Samba (for mp3 sharing :-P ). It would also be great if I could run servers for my favorite games (Unreal Tournament, Tribes, Half-Life, and Descent 3)

This may seem like a request for help on my specific situation. I'd rather see some ideas on what to do for this and other situations. And maybe tell us what you may be using for your current setup.

Let's see some real examples of what (for most of us here) our favorite OS can do in the home.

BTW, the current setup is my Dad's box running Win98SE and ICS (Internet Connection Sharing) for NAT. :-( My main box runs Win98 and Slackware currently.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
What do you run as your LAN gateway?
o Slackware 9%
o Debian 18%
o Other Linux 20%
o FreeBSD 10%
o OpenBSD 18%
o Other *NIX 1%
o Windows * 12%
o Other 10%

Votes: 188
Results | Other Polls

Related Links
o Scoop
o Also by Justinfinity


Display: Sort:
OS choice for home LAN servers/gateways... | 61 comments (55 topical, 6 editorial, 0 hidden)
You tell me. (3.20 / 5) (#1)
by pb on Sat Nov 18, 2000 at 02:44:05 AM EST

It sounds like you have more experience using all of these OSes on your hardware than I do, and probably than most of us.

I can tell you that I primarily use Linux, and have tried many versions of Windows and DOS, as well as BeOS. For a dedicated box, I'd definitely use Linux; (or some flavor of Unix) for real gaming, you'd probably want to use Windows, or maybe Linux. (Linux is just fine with me, 'cause I've got Heroes Of Might And Magic 3... :) BeOS looks promising, especially now that my hardware is more compatible, but it still needs more stuff ported to it, especially for a gaming platform.

But most importantly, if it ain't broke, don't fix it. What makes you dissatisfied with your current setup? Maybe we can suggest some changes, or some OSes that would get rid of these problems.

In my experience (compared to DOS/Windows, that is), Linux has a massively better disk cache subsystem, and many more options for the filesystem. It already has support for whatever services you'd want, including firewalls. It isn't locked down out of the box, so I use Red Hat+Bastille, and in the 2.2 kernels, the OpenWall security kernel patches as well. Windows tends to have more optimized video drivers, but it also tends to be less stable, and often less flexible, so go figure...
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
Enter the Belot (3.33 / 3) (#4)
by GandalfGreyhame on Sat Nov 18, 2000 at 02:58:10 AM EST

Ah, I just can't resist :)

First of all, until BONE, the network rewrite comes out, BeOS sucks ass as a server OS. With BONE, things will be Very Good.

Nobody ever said BeOS was a gaming platform :) In any event, the hardware OpenGL acceleration is being completely re-written, its currently in beta. Should be here RSN. Without the hardware acceleration, games have been a problem of late, but semi-biggies such as CivCTP and CorumIII have been ported. More are coming :)

-G

Disclaimers : It's 3:02AM. And, I am also BeNews staff. Search for BONE, OpenGL, whatever on BeNews and you'll find the relevant information.

[ Parent ]

Cool. (3.00 / 3) (#6)
by pb on Sat Nov 18, 2000 at 03:14:30 AM EST

Therefore, I may have to give BeOS another try once all that comes out. I've got a Matrox G400 Max, which is supported so much better than my old generic Trident card, but more hardware acceleration would be much appreciated anyhow. :)

Belot? Be-Zealot? I like that...
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]
Vid Card & Belotism (3.00 / 3) (#7)
by GandalfGreyhame on Sat Nov 18, 2000 at 03:29:00 AM EST

Yeah, definetely keep an eye on BeNews, we'll be rather, um, excited :) When all of that comes out, its really gonna power Be up a bit.

AFAIK, Matrox cards will be among the ones initially supported. I know for a fact the Voodoo4/5 and the ATI Radeon will be extremely well used by the OpenGL rewrite

I believe credit for the creation of the word 'Belot' belongs to our beloved Inoshiro :)

-A really, really super tired Gandalf

[ Parent ]

go with what you know (3.00 / 6) (#5)
by enterfornone on Sat Nov 18, 2000 at 03:13:49 AM EST

Personally I run Mandrake (6 something?) on my server (mainly as a firewall/gateway + a fetchmail/sendmail setup). On my desktop Linux box I'm running Redhat 6.2. I like RPM Linux distros, tho I chose those mainly cos I had the CD handy when I went to install it.

But theres not much point learning something new unless you really have the desire to or are going to get something out of it. So if you are comfortable with Slackware and it will run all the apps you want to put on it, I would say go with that.

--
efn 26/m/syd
Will sponsor new accounts for porn.
exactly (2.00 / 3) (#29)
by noahm on Sat Nov 18, 2000 at 07:10:25 PM EST

I'm surprised more people haven't said this. You know slackware, you know it can do what you need. You know you can keep it secure and stable. What more do you need?

noah

[ Parent ]

Where I work.. (1.83 / 6) (#8)
by Trracer on Sat Nov 18, 2000 at 04:41:48 AM EST

Where I work we use debian 2.2 for routing, DNS, mail and DHCP for the Windows boxes.
It's working perfectly as far as I know.

-- Inoshiro är en räksmugglare!
i forgot mail! (3.00 / 2) (#9)
by Justinfinity on Sat Nov 18, 2000 at 04:49:28 AM EST

i'll prolly be running a mail server too, just so i can have a local access point to store everything between OSes on my main box

BTW, do you run apache or sshd or anything on that debian box?

-justin
[ Parent ]

Yeah... (3.00 / 1) (#13)
by Trracer on Sat Nov 18, 2000 at 09:34:18 AM EST

We have one machine, the router, that does..routing(!) and some filtering (we filtered out port 138 and 139 and outside access to some of our machines) and then we have one machine that does mail, DNS, some web (not much web there now) and sshd.
We have no machine responding to telnet whatsoever.
All machines running debian.

-- Inoshiro är en räksmugglare!
[ Parent ]
I like FreeBSD (3.28 / 7) (#10)
by schmoli on Sat Nov 18, 2000 at 04:51:30 AM EST

I use FreeBSD myself, but it's just the OS that I use the most often, so I feel more comfortable with it. I use natd (for nat), ipfilter (firewall), samba TNG (mp3/file sharing and win98/NT/2k logins), qmail, courier-imap, vpopmail (for people who want mail on my domains but don't need the overhead/insecurity of shell access), apache (php and sqwebmail for the vpopmail users), and mysql. I'm sure most if not ALL of these and other applications will run on you Linux/BSD of choice, so I would suggest using what you feel most at home with. The only thing I don't know about is running game servers, however running those on a machine with only 64MB RAM may not work out too nicely. FreeBSD-4-STABLE is now in the 4.2-BETA stage, BTW.

Go with what you know (3.00 / 9) (#11)
by kaboom on Sat Nov 18, 2000 at 05:01:14 AM EST

I voted -1 just because this was far too specific to be of widespread interest.

That said, you're planning on using the box as a firewall. In that case, you should definitely go with whatever OS / distribution you know best. All the hype from the OpenBSDers to the contrary, no OS is inherently secure; it's only as secure as you configure it to be, and if you, say, know Red Hat and don't know OpenBSD, you're going to build a more secure Red Hat firewall than OpenBSD firewall....

not true (2.00 / 3) (#19)
by pope nihil on Sat Nov 18, 2000 at 02:33:40 PM EST

If you don't know OpenBSD and don't take the time to learn it, you will have the default install which is very secure. Now, being a bit paranoid, I still tighten security beyond the default install on OpenBSD.

Now, if someone is smart enough to actually secure a RH box (highly insecure to start with: hey! let's run telnet, sendmail, and ftp by default!), then I assure you, they will have no trouble with security on OpenBSD if they go through the nice online tutorial.


I voted.

[ Parent ]
It'd help if you knew what you were talking about (2.20 / 5) (#30)
by kaboom on Sat Nov 18, 2000 at 07:21:27 PM EST

First of all, Red Hat doesn't run telnet, sendmail, and ftp by default. As the great Chuck D says, "get your shit correct." And even if it did, that's not necessarily a sign of insecurity. If I'm setting up a telnet server, it doesn't make a single bit of difference in terms of security whether the telnet daemon is installed with the OS or whether I have to install it separately....

Now that that's out of the way, OpenBSD isn't very secure by default. It doesn't do anything by default, which is conceptually a bit different. Once you put it into operation, you're still going to be running the same IMAP / POP / FTP / telnet / SSH / apache / foo that everyone runs on Solaris, or Linux, or FreeBSD, or HP-UX, or.... That's not intended as a slam on OpenBSD (hell, I probably run more OpenBSD boxes than you ;-), but just to point out that claims of "Three years without a remote hole in the default install!," as the OpenBSD home page proudly proclaims, are a bit disingenuous; my backpack has also gone three years without a remote hole by default, and for the same reason--that it's not, by default, functional as a server ;-).

Furthermore, the questioner wants to run a firewall. Given the complexity of setting up a firewall, it's inherently better to use a product you know how to configure and will set up correctly (whether that's ipchains, netfilter, ipfilter, ipfw, or ipfwadm; they're all full-featured enough to do basic firewalling, assuming you know how) than one you don't know how to configure. The first basic rule of firewalling is that a misconfigured firewall is more dangerous than no firewall at all....

[ Parent ]
Not 100% the truth. (2.66 / 3) (#37)
by Inoshiro on Sun Nov 19, 2000 at 12:37:54 AM EST

"First of all, Red Hat doesn't run telnet, sendmail, and ftp by default." -- not true. As of the 6.x releases, the server setup will enable every daemon that's installed. That's not much of a good thing if the system hasn't been properly setup..

"Now that that's out of the way, OpenBSD isn't very secure by default." -- some of the worst lies are those told with a straight face. " Once you put it into operation, you're still going to be running the same IMAP / POP / FTP / telnet / SSH / apache / foo that everyone runs on Solaris, or Linux, or FreeBSD, or HP-UX, or" .. which is not true. All the applications that ship with OpenBSD, or which are in the OpenBSD ports tree, have been audited for maximum reliability and stability. Any bug can potentially be a security bug, and OpenBSD is the pinnacle of audited code and security. OpenBSD is indeed secure by not having stuff running by default. It's a lot easier for a newbie to enable what they need, rather than to disable all that they don't need.

Your last paragraph, at least, is sound :)



--
[ イノシロ ]
[ Parent ]
110% True, baby! ;-) (2.75 / 4) (#42)
by kaboom on Sun Nov 19, 2000 at 09:18:37 AM EST

First of all, Red Hat doesn't run telnet, sendmail, and ftp by default.As of the 6.x releases [of Red Hat], the server setup will enable every daemon that's installed. That's not much of a good thing if the system hasn't been properly setup.

Sorry, Inoshiro, but the original statement IS true. "server" setup is not the default; if you ask for server, the non-default install, you were explicitly asking for daemons to be enabled. It's not Red Hat's fault if you can't read their supplied documentation and figure that out. Furthermore, with current Red Hats, even the non-default server install doesn't enable the daemons. Get with the times, man! ;-)

some of the worst lies are those told with a straight face.

You could, you know, try actually contradicting my argument (most of which you snipped) instead of just spouting clichés.

All the applications that ship with OpenBSD, or which are in the OpenBSD ports tree, have been audited for maximum reliability and stability.

That's explicitly NOT true. NOTHING in the ports tree is guaranteed to have been audited. Read your system documentation; http://www.openbsd.org/ports.html explicitly states that "The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security." This situation is only exacerbated by the daemons which ship in the base OS being secure only by lacking functionality. Consider ftpd; OpenBSD ships an audited ftpd in the base OS that is useless for most real-world applications (lacking virtual host support, etc.), and a bazillion unaudited ftpds in the ports tree which are what you're going to wind up actually running. Furthermore, even the base, audited, castrated, ftpd was recently subject to the exact same format string vulnerabilities as all the other unaudited functional ones. Ditto for the base lpr, and the base talkd, and the base....

Any bug can potentially be a security bug, and OpenBSD is the pinnacle of audited code and security.

Nonsense, again. Yes, it's probably the most-audited in terms of percentage of shipped base code having been audited (though I'd bet that in terms of lines audited, Debian and Red Hat have audited more, or FreeBSD for that matter, now that they've begun auditing their ports tree), but audited != security. It does no good to audit your base ftpd and ignore proftpd (or whatever) when 95% of your users are going to rm your base ftpd and install something more functional. You haven't gained security by your audit, you've just lost usability. Security is not something that just magically happens because someone happens to have audited some code some place (witness the exploits for the auditedOpenSSH code which have been showing up on Bugtraq). That's even more true when you're probably not even going to use that audited code in favor of unaudited but more functional code available elsewhere.

[ Parent ]

ftpd among other things (none / 0) (#50)
by pope nihil on Mon Nov 20, 2000 at 02:42:02 AM EST

I don't see why you say the default ftpd is non-functional. I've never needed anything beyond what is supplied, and I've installed it on somewhere between 5 and 10 small servers. Ports may not be completed audited, but many of them are patched before compilation. I find for certain tasks (ESPECIALLY a firewall or small webserver) a default OpenBSD install is extremely functional, and more secure than any other default install I can think of.

As for RH, you PICK what kind of install (workstation, server, or custom), so there really is no default. Although IMHO, only an RH-newbie would use anything other than custom, which still runs the services you install by default.

It's really a matter of necessity. If you need to be running big sites with proftpd or wu-ftpd, OpenBSD probably wouldn't be your first choice as it doesn't currently scale beyond single-processor. I would wager that far less than 95% of users remove the OpenBSD ftpd and install something else. I really don't want to get into an argument about which *nixes are better, but I think you are grossly generalizing and generally looking foolish when you say that OpenBSD is not functional or secure by default.

I voted.

[ Parent ]
debian woody (3.33 / 9) (#12)
by semis on Sat Nov 18, 2000 at 08:20:45 AM EST

you mentioned you wanted your box to serve "anything and everything".

I recommend installing debian potato (2.2) and then updating it to woody - the development version of debian. I run a production woody machine - and while I _do_ have to be careful when I update it - as long as I do that I don't have any problems.

So, anyway why do I recommend woody?

1. It's debian - so you get apt. ie: to install apache and all its dependancies
apt-get install apache
or, to build it all from source:
apt-get -b source apache

I'm pedantic about package management, and although ports from freeBSD is nice - I don't find it to be as good as apt for day to day installations/removals/dependancies/upgrading

2. Over 4000 packages, constantly updated. I recommend woody because most of the new stuff get rolled out pretty quick - which saves having to roll your own

Then, for security, I would recommend building up an ipchains firewall. You can also use chains to do nifty stuff like transparent proxying and NAT.

Another good thing I find is that the support for debian is _fantastic_. There are always really helpful and smart people on #debian/open-projects - where newbies/gurus alike hang out and try to help everyone out.

Windows (3.20 / 5) (#15)
by whatnotever on Sat Nov 18, 2000 at 11:00:21 AM EST

It's nice to see Windows doing so well in the poll. :)

No, I'm not saying you should use Windows, but rather that it isn't a horrible choice.

At home, we have some happy NAT gateway running on my parents' general-use win95 box. Sure, the entire setup is unstable as hell, and trying to run the administration tool crashes the box, with no exceptions, but it works fine. And sure, file-sharing was turned on on the cable-modem side one time, and there were some unwanted guests, but hey, we were just being friendly! ... or something... I really should go check that machine for Bad Things, again...

So I in no way recommend Windows, but it *does* work decently.

There should be multiple choices.... (3.50 / 2) (#17)
by Nick Ives on Sat Nov 18, 2000 at 12:35:27 PM EST

Because in our house its Win2k roughly 2/3 of the time and Linux the other 1/3 of the time (I voted windows though).

Its come down to this because it used to be that the only modem in the entire house was in my computer and because I couldnt for the life of me get connection sharing to work in 98 I always had to be in linux so everyone could be on the net. This caused major problems whenever I wanted to play games in 98, as within 5 mins of rebooting the entire household would be screaming at me because they couldnt get on the net.

This all changed when my sister got her new computer, a dual P3 533 w/256MB RAM. She needed to run windows and I was most surprised when the connection sharing in 2k actually worked first time. Because shes almost always in 2k it means we can all be happilly on the net most of the time. Whenever she reboots into 98 to play the odd game that doesnt work in 2k im useually in linux and so I just steal the phone line (the phone cable from her modem passes through my room. Dont ask. If I were to say the wiring in this house is "ad hoc" it'd be a massive understatement. We drilled a hole in our stairs to pass network cable down through to the kitchen).

As you can tell, our house lives for the day we have a bit of spare cash and can be bothered to buy another CPU+mainboard so that we have all the componants necessary to build a gateway. As it is its not pressing enough to cause us to rush out and actually get it properly finished & done, I mean, it seems to work. Most of the time =P.

[ Parent ]
What kind of internet connection do you have? (2.66 / 3) (#16)
by darthaya on Sat Nov 18, 2000 at 11:13:28 AM EST

If you have a broadband internet connection at home, well, you could get a LinkSys router for the NAT gateway for the home LAN. It is only 170 dollars, and you can get it from CompUSA.

I bought one two weeks ago, haven't tried it out though if the DSL installation people were smarter. :(

I've got one (none / 0) (#28)
by djkimmel on Sat Nov 18, 2000 at 05:19:17 PM EST

I've had a LinkSys BEFSR11 (the one without a built in switch, since I already have a nice 10/100 hub) for about three months now and just love it!

It works just as well as a Linux NAT box and is a lot easier to configure.

I've recommended this to friends and everyone that has got one has liked it.

The best thing to do is make sure that you can return it for any reason. That way if it doesn't suit your needs or isn't as flexible as you like you haven't lost anything. I made sure I could return mine, but I didn't need to.
-- Dave
[ Parent ]
I've got one, too (none / 0) (#47)
by gbroiles on Sun Nov 19, 2000 at 07:55:17 PM EST

have been using it as a firewall/NAT device between my DSL connection and Windows machines at home; there's no way I'd expose a Microsoft OS to the net. It's been great - configuration was easy, works fine, haven't monkeyed with the firmware upgrades because it's not broken.

I installed one at my dad's house, too - he had some trouble installing it himself, but once I got it configured (it needed to do PPPOE, and have PPPOE turned off on his Windows machines) it's been running fine for him, too.

It's not as much fun as setting up a *nix box, but it's sure a lot faster and cheaper, and eats up less desk space/power.

[ Parent ]

if i had the money (none / 0) (#49)
by Justinfinity on Mon Nov 20, 2000 at 02:02:33 AM EST

and my dad wouldn't bitch about me spending it (i wouldn't be suprised if my mom tried to made me take it back), i would get a hardware NAT/firewall. but since i'm getting this system for free (well in trade :-) ), it's better

-justin
[ Parent ]
Linux 2.4.0/netfilter (3.25 / 4) (#20)
by spinfire on Sat Nov 18, 2000 at 02:42:12 PM EST

I am actually using Linux 2.4 on a highly modified debian system for our home router. It currently masquerades addresses most addresses and statically NATs through one so I 'appear' to have two machines outside the firewall when one is really in the private address space.

This is all done on a pentium 120 with Netfilter/iptables, which works excellently, IMHO. I have not had any problems with it so far. The control netfilter give you over both firewalling and gateway/NAT functions is far superior to anything else i've seen.

I have had no experience with BSD, unfortunatly, though i plan to try it own on an old box i have lying around shortly.

Freelance Hacker. spinfire on FooNET.

Windows 2000! (3.22 / 9) (#21)
by bradenmcg on Sat Nov 18, 2000 at 02:55:30 PM EST

Sure, laugh all you want...

... but this isn't a troll.

I love Windows 2000. I admit, it is far from perfect. There are certain things it does quite well though. For simple NAT'ing, a Win2k Pro machine is excellent. Security holes? There's nothing OPEN to begin with! It's NT-based, the kernel is pretty stable. The NAT is real low-level, real easy to setup, and very fast.

If you need more, w4r3z a copy of w2k server and use that. It can route. It has builtin SMTP, find Exchange and you've got a mail server that is painfully powerful. Or find something opensource that has been ported.

Apache for Win2k works fine. Need NFS? Find a copy of the MS "Services for Unix" CD, which has an NFS client and Server for Win2k. (Not to mention the win32 copy of ksh and gnu tools that it comes with, and ActivePerl.)

If you have a beefy enough machine, it will work fine.

Plus, if you ever decide you want to let someone ELSE actually play games on that machine (LAN party where someone couldn't bring a computer comes to mind), Win2k will let you do that, in all probability.

I'm not saying it is the answer, but it works fine for me. YMMV.

If you decide to use a *NIX, use OpenBSD. End of story there. Security is your friend.

<leonphelps>Yeah, now, uh, "sig," what is that?</leonphelps>

Security of Win2k by default (3.00 / 4) (#24)
by Miniluv on Sat Nov 18, 2000 at 03:50:06 PM EST

Uhm, actually there's plenty open by default. Just like any other Windows installation security is possible, but requires work, be prepared to hack the registry, close default shares, disable built in accounts, etc.
I only comment because just last night I was auditing my home network, and my Win2k box failed miserably since I'd yet to touch it in the securing process. DOH!
Download Retina, run against yourself, see how ya do.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]
One other point of interest... (2.00 / 2) (#39)
by Miniluv on Sun Nov 19, 2000 at 02:17:22 AM EST

With Windows boxes, NT and 2k that is, your administrator account is of course the holy grail. Aside from renaming, also don't forget to change the password through User Manager and then don't log into it until absolutely necessary, and once you do change the password again.
Not logging in means the password never actually gets hashed into the SAM file, thus L0pht cannot get it. The process may not be accurately described above, but the results are, at least in my experience playing with L0pht and sam files I've created.


"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]

Like what? (2.66 / 3) (#40)
by bradenmcg on Sun Nov 19, 2000 at 04:32:20 AM EST

Default shares, ok... I'll buy that, but any ISP worth its salt blocks 139 and the like.

Win2k Pro does NOT install IIS by default, so that's off.

I can't think of anything else on a Win2k Pro default install.

I didn't notice much at all when I was poking myself (with shields up and the like). Granted, ports are OPEN and responding that there is no process attached to them, but there are no daemons actually running that are insecure... sendmail, BIND, etc, etc, blah, blah.

And if you're really worried about people poking ports they shouldn't, get your hands on ZoneAlarm. I have ZA Pro, it works beautifully. I looked long and hard at some of the other win2k firewalls... I was going to use Network Associates' BIGASS corporate firewall until i found it was only for NT4. Ew-scray em-they.

ZoneAlarm (standard) is FREE. Pro is only like $30 and adds several nice features if you are NAT'ing. (There's also always the w4r3z discount... =)

<leonphelps>Yeah, now, uh, "sig," what is that?</leonphelps>
[ Parent ]

Actually.. (3.50 / 2) (#45)
by mindstrm on Sun Nov 19, 2000 at 05:05:29 PM EST

Any ISP worth it's salt does *NOT* block port 139. ISP's that cater to large groups of sheep (@home, AOL, etc) probably filter them. REAL isp's provide internet service, not filtered service.


[ Parent ]
Since when does WAN == LAN? (none / 0) (#52)
by bradenmcg on Mon Nov 20, 2000 at 03:18:10 AM EST

Ok, some might gripe about how windows-centric this is. However, that's kinda what the subject is here, so just deal with it.

If you need to be doing netbios sharing over TCP/IP over any kind of distance (i.e. over the Internet), you should have a VPN. There are FAR more efficient ways of doing simple file xfer; FTP anyone?

Granted, people might want to put something else on 139... But the vast majority of services being run on port 139 are NetBIOS over IP. NetBIOS is a big fan of broadcast traffic. EVIL. Your ISP shouldn't have to be dealing with the traffic, it should be filtered on the modem racks themselves, or at least on an internal router, keeping the modem riff-raff from getting to even the ISP's LAN. (Of course, all depending on how the ISP has stuff set up.)

Then again, IANAISP, and this is all just IMHO. =P

<leonphelps>Yeah, now, uh, "sig," what is that?</leonphelps>
[ Parent ]

filtering at the LAN gateway (none / 0) (#56)
by Justinfinity on Mon Nov 20, 2000 at 06:19:45 AM EST

things like NetBIOS should be filtered at the gateway of the LAN. i'm not positive, but i'm pretty sure NetBIOS can't jump subnets without custom routing, there's no reason any gateway should let any NetBIOS packets out. as for single machines, they shouldn't have 139 open anyway.
my gateway will definitely NOT be sending or forwarding any NetBIOS packets (not that AT&T will let it anyway, although they will open the ports if you ask)

-justin
[ Parent ]
That's not the point though. (5.00 / 1) (#59)
by mindstrm on Mon Nov 20, 2000 at 06:34:59 PM EST

Yes, using netbios over tcp over the internet might be kind of silly if the situation you are in should be using a vpn.

And yes, we all know netbios kind of sucks over high latency links anyway.

All your stuff about 'broadcast' and what not.. that's not an issue. We are talking about blocking of tcp traffic over port 139, period. Netbios over TCP does local subnet broadcasts to find a local browser, period. This is a non-issue.

What if SMB mounts worked well over slow links? What if I simply want to access a read-only share on a computer somewhere? Who is my ISP to tell me I'm not allowed?

What I'm saying is, ISPs shoudl stick to providing IP. Period. That's their job. Let the home user decide what to do with it, or at least let those of us who know what we are doing turn off filters we don't need.



[ Parent ]
My Gateway (3.00 / 1) (#22)
by Devil Ducky on Sat Nov 18, 2000 at 03:05:09 PM EST

The gateway server I use to connect the network to the cable modem, is a old Pentium 90 with 16Megs of ram and a puny 1gig hdd (it used to be smaller!) running RedHat 6.0(just never been updated) with all of the ports shut down to ETH1(Cable Modem) except ssh. The reason redhat was chosen is that at the time we (those of us who did the work) knew it better and linuxconf. It is really easy to configure two networks cards to basically the same setting using linuxconf. Since all you have to do is tab over.

The downside of doing this is that to keep any semblance of security everything had to be stripped out, no sendmail (I'm not security-minded enough to keep upgrading it), no httpd (@home doesn't allow this anyway), no ftp (who needs it with ssh/scp?), no gaming ports (poor computer couldn't handle that anyway, etc. So as it turns out I'm not really losing anything here... I'm not sure what OS will go on this machine once I get a new one and this one moves to gateway/file server. I'm also not sure what to do with the P90, I'm thinking of making it a NIC, rip everything off of it, put a nice GNOME interface on it and Netscape...

Devil Ducky

Immune to the Forces of Duct Tape
Day trading at it's Funnest
Red Hat 7 (2.16 / 6) (#23)
by skeezix on Sat Nov 18, 2000 at 03:44:39 PM EST

My gateway/firewall/router is a Red Hat 7 box on a Pentium 100 Mhz machine with 16 Mb RAM and a 2 Gb hard disk. I have it set up to act as a router for my network, a caching nameserver, a DHCP server, and a firewall. I found Red Hat 7 particularly easy to configure for pppoe with DSL. It was also very easy to set it up so that all services are shut down except for the bare minimum and all network services shut down except for sshd. I also forward port 80 requests to a web server that's internal to the network.

Why fly FreeBSD? (2.57 / 7) (#25)
by Miniluv on Sat Nov 18, 2000 at 03:59:31 PM EST

I use a FreeBSD box for a couple reasons:

1) The ports tree. The sheer beauty of the ports tree. It's nicely arranged, takes dependencies into account, and provides all kinds of variables on packages like apache(mod_ssl, mod_perl, php3/4, etc).
2) The IP stack. It's fast...really fast. While it doesn't just leave everyone else in the dust, it DOES outrun them, sometimes by a significant margin.
3) The scheduler. With ONE exception, I've yet to find a way to beat that box into submission by overloading it with work. The one exception was a horribly coded application that was incorrectly niced and I couldn't get top up to renice it before it stole every last cycle. But, I've recompiled the kernel, while building apache+php4, plus doing fairly high volume webserving, serving up some anon ftp and doing NAT/NIDS. That same general level of workload has brought down every Redhat box I've used, even the nicely tweaked ones.

I like linux, I have an RH7 workstation sitting next to my Win2k workstation and my FreeBSD server, but for a do-everything with a good shot at security, FreeBSD is my number one choice. I've yet to get really comfortable with OpenBSD, so it'd be interesting to see just how flexible it is.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'

My recommendation (1.66 / 3) (#27)
by Elendale on Sat Nov 18, 2000 at 04:30:48 PM EST

I would say go with some BSD variant and just let the thing run :) I ended up voting Slackware in the poll though, as i'm not about to go out and buy BSD... Slack is very flexible and secure- as long as you don't mind wrestling with it for a bit. Its missing Debian's happy little apt, but i would be willing to bet apt could be put into slack :)

-Elendale
---

When free speech is outlawed, only criminals will complain.


OpenBSD maybe.... (2.25 / 4) (#32)
by UrLord on Sat Nov 18, 2000 at 09:04:55 PM EST

Ok Im an admitted OpenBSD fan. I use it at home for almost everything. Gaming is deffinately a Windows thing, but I rarely play games so it's tno too bad. I use an OpenBSD box for a firewall/NAT and sometimes for IRC. Nothing special. I will be setting up an OpenBSD server at a co-lo sometime in the near future because I can set it up and let it sit.

But in this situation I would have to recommend using Slackware. I think its one of the best linux distros out there. Unless you are really interrested in learning a BSD, just use linux, it'll be more secure by the fact you understand it better.

BTW http://www.wiretapped.net uses OpenBSD on basic i386 hardware and is one of the busiest sites in .au

We can't change society in a day, we have to change ourselves first from the inside out.

Dedicated hardware? (3.33 / 3) (#33)
by tfoh on Sat Nov 18, 2000 at 10:54:32 PM EST

Why not use consider a dedicated piece of hardware, like those Linksys units? I don't have any old boxen lying around, and it seems to me that a PC with a server operating system is overkill for something like a NAT. Also, they ought be reasonably secure since they probably aren't vulnerable to most attacks against unix-like OSes, and if some party managed to crack into the unit, it is probably easier to clean than a cracked PC. Any reason why a PC is preferrable over a commercial router for this task?

it's free :-) (2.00 / 1) (#34)
by Justinfinity on Sat Nov 18, 2000 at 11:45:54 PM EST

i have this box sitting here, i know it will make a better gateway that my dad's win98 box. i checked out the hardware routers and stuff when getting a hub and NICs for this machine, but they were expensive when compared to the _free_ machine just sitting there

-justin
[ Parent ]
Update (3.50 / 2) (#35)
by Justinfinity on Sun Nov 19, 2000 at 12:02:16 AM EST

right after i posted this, i was talking in #kuro5hin and found someone who was willing to trade a bunch of 486 hardware for my old K6-2 300 CPU. so, hopefully, very soon i should have a 486 system to use as a pure gateway/firewall, probably running OpenBSD. the current gateway/server that i wrote about will be just a server, without all the NAT and filtering to worry about.

a few people mentioned using a hardware router, but again, this box will be basically free and it'll be fun to setup this way.

i got SyGate for windows for free with the hub/NIC combo i bought, so i'm going to put that on my dad's machine for now. then i'll connect my main box through my soon-to-be gateway to do any testing. this way if i break anything, a couple cable changes on the hub can bypass my gateway and go straight to my dad's machine, the way it is now.

for now, i'm going to dual-boot my gateway with slackware and freebsd. since freebsd has a bigger ports collection than openbsd, and i'm a bit more experienced with freebsd, it's the better choice. i'll play around with settings, making sure i know what i'm doing, then i'll install whichever one i like better (although i have this feeling it's going to be freebsd on the gateway/server and remain with slackware/win98 on my workstation, but we'll see)

thanks for all the suggestions and ideas so far. and keep them coming for everyone to see. i'll probably post my own ideas here, as well as in my diary or on my own site (soon to be moved to my new server box :-)

-justin

update 2 (none / 0) (#55)
by Justinfinity on Mon Nov 20, 2000 at 05:37:54 AM EST

everyone has given good examples. but i'm going with OpenBSD.
first off, they're auditing code, that's just something _everyone_ should be doing. the pro-active security is a good idea too. i'd rather have to turn on a possible vulnerability than have it open by default and not know about it (as most newbies won't in alot of distros). even my fav distro, slackware has a default setup of turning on a bunch of daemons that most people don't need/want. (maybe i'll e-mail Patrick V about it)

my main box (duron 600, 128 megs) will be running win98 and slackware, with ports for my fav games forwarded so i can host a server if needed.
my secondary box (k6-2 500, 64 megs) will be running either slackware or freebsd and running apache, sshd, samba, and maybe an ftp daemon, with appropriate ports forwarded to it
my dad's win98 machine (k6-2 350, 48 megs (soon to be 96))will be running nothing server-wise, so nothing will be forwarded to it.
the 486 box (AMD DX 80 with ~12 megs IIRC) will be nothing but a firewall/gateway using OpenBSD, ipf and ipnat (or something else if i find anything i like better) with only the ssh port open and anything not forwarded will be closed.

i'm not positive (i'm new to this stateful stuff), but i think things like AIM's file sharing will work if the request is made _from_ one of my machines. this doesn't work with the win98 ICS without opening ports, which i don't want to do if i don't have to. if not, well i'll figure something out, maybe a script to open it and make a batch file to run putty for my sister to run, then reset it after 30 minutes or so, i don't know yet.
that brings up another good thing about the OpenBSD based box, as opposed to the windows box, is that i can ssh in and change anything on the fly. :-) i can use VNC on the windows machine and open ports, but it still has to reboot to take affect (stupid MS and their rebooting). i don't know about the hardware routers, how easy are they configured?

i'll give another update when the 486 stuff gets here from Dasunt, should be in a couple days.

-justin
[ Parent ]

My sincere advice. (4.00 / 5) (#36)
by mindstrm on Sun Nov 19, 2000 at 12:27:36 AM EST

If you want a box to do 'anything and everything' and you want an OS.. it's pretty simple.

Use unix. Use whatever flavour YOU are most comfortable with.

Me, I use debian/potato. Nothing to get in a holy war about it. I hear The BSD variants are just as good.

What I'd question is the wisdom of having a box to do 'everything and anything'. Make the firewall simple. Get an old box. IT need not be fast. You can have a nice, big fast box behind it, to do 'everything'. Put your big drives in it, whatever. But keep the box that's exposed to the net simple and small, something you don't mind rebuilding now and then.
I use one of those linksys boxes at one place. If I spent more time there, I'd use linux, but given I just tend to surf and do mail, linksys is fine. (it only allows simple port forwarding)


If you get into 'what OS to use' you're into a religious war.. and nothing more. Security is mostly, regardless of what the zealots say, a matter of knowledge, so use what you know.



Linux Router Project (3.25 / 4) (#38)
by inan on Sun Nov 19, 2000 at 01:41:00 AM EST

I use the one floppy Linux Router Project and find that it works exceedingly well. It has never (to my knowledge) gone down in 8 months of use. I don't notice any delays and it doesn't even require a hard disk in the gateway computer. Give it a shot.

just out of curiosity.. (none / 0) (#51)
by Justinfinity on Mon Nov 20, 2000 at 02:43:44 AM EST

what version of the Linux-Router do you use?

i had forgotten about that. it may be just what i need, and i can save the 180 meg hard drive for testing stuff on my other boxes. :-)

-justin
[ Parent ]

Gateway OS choice (1.75 / 4) (#41)
by adric on Sun Nov 19, 2000 at 06:07:51 AM EST

OpenBSD for anything with a live IP, nuff said.*

Debian for most everything else (mmm ... apt).
LRP is nifty, but doesn't have much for modem users (argh).
FreeBSD for a dedicated web or ftp server.. (-stable, as release doesn't mean anything to FreeBSD folks, sigh)

*I can't get Open to handle ADSL, so I've been using debian/rp-pppoe for this. Anyone who cares to remedy this gap will be rewarded, praised, etc.

2.8 (none / 0) (#61)
by Spendocrat on Tue Nov 21, 2000 at 04:18:09 PM EST

OpenBSD -current (i.e. leading up to 2.8) has PPPoE as part of userland PPP (man ppp, or go here). Also, you might want to take a look through the misc@openbsd.org archives for the past 3-4 months for discussion of using PPPoE.

HTH

[ Parent ]

I know I'll get flamed but... (2.00 / 5) (#43)
by joshv on Sun Nov 19, 2000 at 10:35:49 AM EST

Windows 2000. I used various flavors of linux for my home server for quite some time but eventually my old Red Hat 5.2 install got quite out of date, and updating it seemed a daunting task without a re-install. Considering the troubles I had had with library conflicts and dependency among linux applications when upgrading, I didn't want to deal with this on the OS level.

So I decided to see what windows 2000 had to offer. For a simple setup it offers a lot. It is perfectly capable of doing NAT and limited firewalling out of the box. I put in two nics, one for the internal network, one for the cable modem. By default windows 2000 allows IP filtering at the interface level - so I blocked all incoming IP packets and clicked one button to enable ICS (what Bill calls NAT).

Overall I would say that this has been more expensive, but definitely simpler in terms of time invested. Windows 2000 is just as stable as linux was (both had uptimes in the multiple months). Windows 2000 is by far easier to setup and configure as a firewall/NAT box.

People say windows 2000 is bloated. Yes it uses more resources than your average Linux setup, but it runs fine on my pentium 166 with 90 Meg of RAM.

I will install cygwin to get back my bash prompt and some of the tools I have grown to be dependent on.

-josh

well... (none / 0) (#53)
by drinkybear on Mon Nov 20, 2000 at 04:05:33 AM EST

you could have just saved all the config files on floppies and installed a newer linux distro. just a thought.

[ Parent ]
ipf wants to love you! (4.40 / 5) (#44)
by fansipans on Sun Nov 19, 2000 at 01:13:39 PM EST

Hello. I'm currently using OpenBSD 2.8 (snapshots) to manage NAT and firewalling for my 4 college dorm room computers (as is my roommate), and one of the things that i absolutely love about OpenBSD is that it makes use of "ipf" for it's firewalling. ipf is the program of choice for the *BSD variants, so if you wanted to run a gateway on some crazy-ass embedded processor, you could just as well set this all up on NetBSD, if you wanted to have the bleeding edge of application support for serving of some reason (on a gateway?) then you could use FreeBSD.

with ipf on a gateway, i think it's an obvious choice to use OpenBSD (security silly!). but anyway, one of the things i absolutely love about ipf is that aside from being a state-ful firewalling solution (read about stateful-ness here and here's a practical implementation) ipf has the best and from what i've seen so far the most flexible configuration file format. let's take a look at some examples. note that my internal network is 192.168.1.*, my external interface is dc0 and also that things like routing and port forwarding are managed by ipnat (also a very nice program)
----begin /etc/ipf.rules snippet----
# do we want to ban incoming traffic from spoofed addresses? okay.
block in quick on dc0 from 192.168.0.0/16 to any
block in quick on dc0 from 172.16.0.0/12 to any
block in quick on dc0 from 10.0.0.0/8 to any

#we want to be able to ssh to our box so...let's let that through:
#the nice thing about the rule below is that only the hand shake part
#of the packet is specifically allowed, everything else (keep state) happens
#only because it was part of the handshake (so you can't just send it a random ack for example)
pass in quick on dc0 proto tcp from any to any port = 22 flags S/SA keep state

# hmm, well, a lot of nmap-kiddies think it's cool to be stealthy
# by using FIN, URG, or PSH scanning, well since those aren't part of any connection, we can just block those
# and they won't know what ports are open
block in quick on dc0 proto tcp from any to any flags FUP

# suppose we have a bunch of fancy rules to protect us from the wily
#hacker, but we don't want our activites impeded on at all, so how can we
#say "if i start something let it through"? what happens if i NEED an URG
#packet for whatever reason, but since i started the connection, i know
#where i am and "what the risks are"
#well, if we use the rule below then anything we initiate will go through all
#of the other rules
pass out quick on dc0 proto tcp/udp from any to any keep state

#so we're content? no other traffic than what we've specified should go
#over this firewall? well let's log everything else just for sure
block in log quick on dc0 all

#so sit back, relax, pop up an Eterm and tail -f /var/log/ipflog on your router ;D

there is a lot more to ipf than this, but i was coming from eery places like ipfwadm with each rule being initated through strange mystical flags to ipfwadm (i think ipchains is similar), whereas i can go in and fine tune ipf to my hearts content. heh, is there someone you don't like? do you not even want him to be able to ssh to your box? dont' just deny him! send him an rst packet any time he connects to your port 22 :D



thanks for the info on ipf (5.00 / 1) (#54)
by Justinfinity on Mon Nov 20, 2000 at 05:10:01 AM EST

as you may have read, i'm getting a 486 box soon for a pure firewall, for now i'm going to setup OpenBSD and get ipf an ipnat setup.

-justin
[ Parent ]
Linux Mandrake, anyone? (2.00 / 1) (#46)
by MoxFulder on Sun Nov 19, 2000 at 07:13:42 PM EST

I use Linux Mandrake 7.1 to run my IP masquerading router. It's a Pentium 133 with 16 megs ram, a 1 gig hard drive, an awesome ADSL modem, and two network cards. Linux Mandrake is my desktop OS of choice because of its pentium optimization, and hardware detection support that kills every other distro I have seen.

I used Mandrake on the router cause I'm very familiar with it ... it's a bit bloated to use as a server (I had to manually remove X, Netscape, Gnome, KDE, etc...), but it gets the job done and has now been up for a couple of months with no downtime :-)

I use rp-pppoe for the ADSL modem, and it works like a charm. So overall I'm very happy with my router/server. But can anybody tell me how to optimize Apache for running on a Pentium 133 with 16 megs ram??? Or refer me to a good website on the subject?

"If good things lasted forever, would we realize how special they are?"
--Calvin and Hobbes


Firewalls should JUST be firewalls. (3.00 / 2) (#48)
by tzanger on Sun Nov 19, 2000 at 08:57:30 PM EST

The subject says it all.

I don't have any special penchant for using OpenBSD for a firewall -- I mean the security audit is nice but it's not enough of a reason for me to learn another Unix. I've set up and adminitrate over a dozen Linux firewalls, from dialup to DSL and Cable modem firewalls and none have been compromised for the simple reason that they were just firewalls. No listening ports other than SSH and ident to take advantage of. Hell, my web/mail/ftp server (not behind a firewall) hasn't been compromised either but I don't advocate such things professionally. :-)

Linux (especially 2.4 with its stateful firewall capability) seems to be secure enough for my firwalling needs, and flexible and featureful enough to satisfy my computing (and at times funky firewalling) needs.



Anything, with effort (3.00 / 1) (#57)
by micco on Mon Nov 20, 2000 at 09:45:53 AM EST

I basically agree with the responses that say "go with what you know". Anything, even WinNT, can be made secure if you take the time to do it right and keep up with exploits.

Personally, I use Slackware 7.1 because my firewall runs on an old PS/2 486, and Slackware supports the MCA architecture. All things equal, I might prefer to run OpenBSD or even LRP, but the MCA support made Slackware the easiest install and I just have to take the time to nail things down.

This box runs *nothing* else, no web server, mail server, games or any other apps aside from absolutely required system utilities for ipchains and ipmasq, so it's fairly easy to make it secure. That seems like the proper strategy for a firewall regardless of your hardware. Given that you can pick up adequate 486 boxes for <$50, you might be better served by putting up a minimalist firewall-only box and mounting your server behind it. This would require a more complex firewall setup to allow restricted access to the server, but you might find it more straightforward to secure and upgrade.

If you choose a linux flavor, you could check out both Bastille Linux and TrinityOS, both of which have checklists and scripts for securing certain distros.

Hardware Solutions (none / 0) (#58)
by Mantrid on Mon Nov 20, 2000 at 04:08:57 PM EST

I use a Linksys router at home, and it seems to work great (at least after a quick firmware upgrade). It only cost me about $200 CDN, it's only got one port, so you need your own hub (I think Linksys and probably other companies sell units with a hub or switch built in as well). I was thinking of setting up a separate box, but with two network cards and even a basic computer set up it probably would've cost at least that much. It's weird, but I swear that browsing web pages is faster going through the mini-router, then when my PC was hooked straight into the cable modem, but I can't figure out why (maybe the server the pages live on are faster or something, but in general it seems faster). Anyways it works good with me and my roommate's PCs hooked up, and hopefully i'll have my Dreamcast hooked up soon as well hehe. There are several manufacturers that make these little boxes, I just happened to find the Linksys one.

Don't tie your main box up w/ a Firewall (3.50 / 2) (#60)
by PacketMaster on Mon Nov 20, 2000 at 07:45:52 PM EST

If it's possible for you to pick up an old clunker like a 486-50 or even a higher-end P60 or P75, I'd recommend into looking at a product called FreeSCO (www.freesco.com). It's basically a Linux-on-a-floppy firewall, NAT box and port-forwarder. I've used it for about 5 months and I think it's terrific. It also has very good built-in support for a lot of the dynamic DNS services like DHS and DynDNS. I was going to set up my main Linux machine as the forwarder but I got to thinking. I decided that there's going to be times where I'm going to be needing to work on one machine and I'd need to access the Internet with the other so it made sense to pick up a third clunker and fix it up. My firewall is running on a P75 with 16 Mb of RAM and has two $5 ISA network cards. The whole setup cost me about $40 and maybe 1 hour of setup time. Then that'll leave your main Linux box up to some real apps.

OS choice for home LAN servers/gateways... | 61 comments (55 topical, 6 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!