Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 04 Dec 2003 03:15:38 -0500
From:      Scott W <wegster@mindcore.net>
To:        Bryan Cassidy <b_cassidy@bellsouth.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Router question
Message-ID:  <3FCEED2A.5060103@mindcore.net>
In-Reply-To: <20031203182121.0cf47a5c.b_cassidy@bellsouth.net>
References:  <20031203182121.0cf47a5c.b_cassidy@bellsouth.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Bryan Cassidy wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello everyone. Hows everyone doing tongith/today? Well, I'm taking a
>week off of work and thought I would read up on Security/Networking and
>anything else to do with making my system/webserver secure. I am going
>to Best Buy (ya i know, but it's the only computer related store in this
>shitty town so.) to buy a router and was just wanting to see what people
>could recommend on which ones are good. I've nver really gotten into
>this kinda thing before but want to learn. Will there be anything extra
>that I should get while I'm at the store? Cables etc? I only have one pc
>is there any point in having a router with one pc? Any links to how to
>set this up on FreeBSD? Thanks in advance.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (FreeBSD)
>
>iD8DBQE/zn4Bm8uTTHnDH3ERAsR1AKDTzQHhzHV0ei2OevUSo0jzdksikACghTjr
>QGg8Wa7hgX1Dr4vTXGjgCo8=
>=LXnN
>-----END PGP SIGNATURE-----
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
>  
>
If you've got only a single PC to connect, then the only reason for 
wanting (not needing) a (presumably broadband) router is anything fairly 
recent will do NAT (address translation, basically lets > 1 PC share 1 
public IP address).  One of the 'side benefits' of NAT routers is that 
they closes off connections initiated from the outside world (the Net).  
Not that big of a deal with freeBSD, as the default services running by 
default are pretty sensible (compared to past and some current versions 
of Solaris, RedHat, SuSe etc etc), but this is generally A Good Thing if 
you're running Windows at any point, or are playing around with 
different services, as many of them have had exploits in the past that 
script kiddies like to jump on.

Of course, you can also turn your bsd system into a router by adding 
another NIC, and then attaching a hub or switch to one NIC, and the 
other to your DSL or cable modem...

The disadvantage (serious annoyance IMHO) of 'hardware routers' (opposed 
to software running on bsd or another *nix) is the general lack of 
logging abilities.  When I used to run several personal domains, it was 
_amazing_ the number of portscans and IMAP and other exploits that would 
be attempted on my systems.  I personally like to know what's being 
attempted against my systems, and most of the 'off the shelf' routers 
from BestBuy, CompUSA etc are a far cry from Cisco and others, who do 
run a 'real' (meaning user accessible) OS and can handle logging as well 
as complex rules for port forwarding or dropping routes....

As far as freebsd is concerned, if you do decide to get one for whatever 
reason, the router is effectively dual homed, meaningin this case, that 
it has an internal network IP (eg 192.168.1.254) as well as an external 
IP which is what 'the world' sees, which is the IP assigned to it via 
the cable/DSL modem/your ISP.  You'll need to set your 'internal' 
systems (your home PCs/systems) to have their default gateway point to 
the internal IP of the router.  That will be the case regardless of 
whatever OS you run...

Of course, even a 486 class system, with a minimal install of freebsd, 
with /usr mounted immutable, and a small hard drive, would make a great 
router, and you could also play around with a remote log host for 
logging, monitoring tools like logcheck, sentry, saint, and others, as 
well as designating your own port forwarding and firewall rulesets...if 
you decide to buy an 'off the shelf' router and still want some sort of 
idea of who's trying to do what to your system(s), you can port forward 
a 'popular' port (like IMAP/139, http/80, and/or mail/25 to different 
ports on your local system and set things up to only log the connection 
instead of running the actual services......


Scott




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FCEED2A.5060103>