LinITX Router box, routing/network in a box.

[aidanjt]

Having my netgear router die on me lately, and my ISP provided router being able to handle a number of connections less than my fingers and toes, I've finally decided to get around to sticking together a LinITX box to provide routing and core network services. I've put in an order for the following bits:

1 x Kingston Low Profile 512MB PC133 SDRAM (KVR133/512) = £50.93
1 x 40 to 44 pin IDE Cable - 30cm (PA-HD44C30) = £2.98
1 x Seagate 80GB Momentus 5400 8MB Cache- ST98823A (ST98823A) = £52.88
1 x Light CV860A (533 MHz Fanless) - 3 NIC (LG805) = £175.00
1 x Light System ADSL Module (LEXADSL) = £55.00

Distro of choice of course being Gentoo, I still haven't decided on which libc to use yet, though being that it's going to be an internet facing box, I'll definitely be using a hardened toolchain and kernel with PaX, although not sure about using RBAC/MAC, I don't want to be stuffing up the CPU with excessive junk, if I get a good balance, I'll easily be able to run sshd, dhcpd, lighty, squid, and rsyncd for proxy/mirroring.

When I'm finished with it I should have an efficient router based on Linux 2.6 that's able to make intelligent routing decisions, set traffic priorities, bandwidth throttling, UPnP, the works...

BTW, if someone starts ranting about using Gentoo on a 533Mhz Edan CPU I'll slap 'em, I'll be maintaining the system on my P4 and copy the binary packages over

I'll keep you posted when I receive the hardware, I'll see about sticking up some pics while monkeying about with the hardware.

[dave87]

I have no idea what you just said, but sounds good.

I was intending to set up a Smoothwall box when I get to my new uni house next year, but this takes it a bit further. I may consider it, as I would also like to add some NAS at the same time.

[Funkstar]

Are there not ready rolled Distros for this kind of thing?

Do they not provide you with everything you want? or do you just want to roll your own?

[aidanjt]

There most likely is, but I want to roll my own, plus have Gentoo specific stuff for mirroring the gentoo-portage tree and source tarballs.

And I'm not big on fancy web frontends, I'm happy enough with a bash prompt

[Moby-Dick]

not even m0n0wall , which i'd class as one of the harder core rollups

although I hear thats designed for more specific functions ?

[aidanjt]

Yeah, I checked out m0n0wall sometime last year, it's pretty neat, and I may even try it out on the brick when I get it.
But I'm not sure if I'll get UPnP, and netfilter is pretty advanced, especially with patch-o-matic stuff.

[aidanjt]

Awesome, the linuxigd project has finally released 1.0 this month, hopefully that means the kinks have been ironed out and I should have trouble free UPnP integration.

[aidanjt]

I have no idea what you just said, but sounds good.

I was intending to set up a Smoothwall box when I get to my new uni house next year, but this takes it a bit further. I may consider it, as I would also like to add some NAS at the same time.

I've been looking around the prebuilt firewall solutions, and I came across pfSense again, it's a bit like m0n0wall but it's more adaptable and is built against the more modern FreeBSD 6.1, it should work on the type of hardware I'm getting. I recall playing around with it in VMware awhile ago, it's pretty nifty for a pre-built solution.

You can stick it on a flash card, or install it on a hard drive (the latter being more flexible of course), and would give you much much much less hassle than the route I'm taking.

[Moby-Dick]

that looks like a pretty powerfull implementation. I'm not sure you'd want to stick extra services like NAS on it though - its really designed to sit at the edge of a network rather than at the core like a NAS box would be.

[aidanjt]

Agreed, but at least he could have NAS services only listening on LAN ports, or whatever he wants

[Moby-Dick]

thats true - but in the unlikely event of the box getting rooted , would it then minimise exposure ?

[aidanjt]

Unfortunately not, but as long as ssh/web access isn't allowed from WAN it's impossible for a remote attacker to compromise the box. And thanks to privilege separation any compromised services would have isolated impact on pfSense as an OS localised to that particular service, if you have any listening on WAN

[aidanjt]

Great, LinITX already has the package packed, hopefully it should be dispatched soon.

Good experience with the transaction so far.

[Metier9]

Thats a good website You make me want to switch my linksys piddly wireless router with one of the Cisco 2600 routers at my feet...

aidanjt you should go overkill and make a honeypot

[aidanjt]

That would be overkill wouldn't it. Although when I'm done not much could be done on it without it being logged, so I think I'll be satisfied with that plus nosey people running into a brick wall.

Oh yeah, definitely hook up the Cisco for giggles

[Metier9]

But then ive got to set up RIP so the people downstairs can access wireless from the linksys or make a adhoc wireless network.. but my comp wont be up all the time

Keep updating this ^^ should be a good read