[H-GEN] Good practice and home networking

Greg Black gjb at gbch.net
Mon Sep 10 06:56:44 EDT 2007 

On 2007-09-09, bjf at bjf.id.au wrote:

> Should I go for an all-in-one ADSL modem/router/hub/wireless box from  
> Linksys or Netgear, or go for a lower end network-layer device, and  
> hook it up to a cheap beige box running BSD or Linux?  Tradeoffs: I've  
> heard enough horror stories about the bad guys carrying out automated  
> hack attacks on crappy Chinese-made consumer home routers, but on the  
> other hand, properly configuring a PC-based router is a lot of work.   
> Having a PC do the job means I can keep a closer eye on the network  
> and do upgrades.

The horror stories are true, so don't take advice from anybody who has
never heard of them.  As far as I'm concerned, the ADSL device should be
allowed to do the bare minimum required to make the ADSL connection and
any other "features" it has should be disabled.

Configuring a Linux or BSD host to do the rest is not difficult or even
faintly scary.

> When I went through uni, the advice there was that services should  
> never be run on the internet-facing router.  Does this still hold?

That advice, for home networks, never made much sense and makes none
now.  Just make sure that only the services that you need and have
properly configured face the bad guys; everything else should be off.
If it's not listening to the world, it can't be cracked.  If it's a
home machine, you're in charge of what's running, so you don't have the
reasons that a commercial site might have to run a firewall (which is
there to stop the bad guys and idiots on the /inside/ from exposing your
system to the bad guys outside.

Careful setup of the outwards-facing box (i.e., as described in the
previous paragraph) is the simplest sane approach.  There's no need to
try to be too clever.  And, of course, keep that box up to date with all
security fixes.

> * Does anybody have any opinions whether I'd be better off using a  
> Linux of OpenBSD OS on a PC-based router?  Specifically, is the  
> network packet filtering support in OpenBSD powerful enough to warrant  
> a second look?

OpenBSD's PF is now available on FreeBSD as well (and maybe others, but
I haven't checked).  It can do anything you might need, although there
are good arguments that you don't need anything of this kind at all.

(See above, again.)

Cheers, Greg

More information about the General mailing list