netbsd-users: RE: Are multiple services on a router acceptable for home use?

Subject: RE: Are multiple services on a router acceptable for home use?
To: Mikael =?iso-8859-1?Q?Nystr=F6m?= <micke@samladtrupp.se>
From: De Zeurkous <zeurkous@nichten.info>
List: netbsd-users
Date: 12/01/2007 19:17:57

Haai,

On Sat, December 1, 2007 17:56, Mikael Nyström wrote:
> I'm looking for some advice on wheter it's a good idea to move the
> router functionallity from a standalone box to my server. This is for
> home use and the reason is to reduce the number of machines that
> needs to be feed with power 24/7. The server is only running a small
> set of services such as DHCP, NFS and NTP on the behalf of my home
> network which isn't too crowded. Would enabling packet forwarding and
> using ipf/pf be a good idea in a "secure-enough-for-home-use" context?
>

As you suspected, security isn't much of a problem here. I do recommend
moving the gateway to a system not running other services. It has nothing
to do with security, but rather with performance. Given the gratuitous
interrupt junkies that typical 'home systems' are, you will find it
increasingly difficult to maintain minimal connection latency as usage of
the other services (especially NFS) increases.

> One thing that I will do is to try to make sure that all services
> only accepts requests from inbound interface and use a sane set of
> rules for the packet filter, but are there other steps I could take
> to lessen the chans for a disaster?

Except for decent password management, keeping an eye on security updates,
and a detection system for basic intrustions, AFAIK not much can be done
in a home contect.

>
> I suppose that one could go as far as using a combination of read-
> only disks, securelevel, veriexec and systrace but that seems just a
> bit paranoid for a simple home user like myself. It would be cool
> though.

Paranoia ain't cool. I don't mess with any of those anymore for that exact
reason -- it /makes/ you paranoid. I used to make everything under /usr
ro, but it' just a pain in the end while offering very little to no extra
protection.

>
> By the way, have been running 4.0_RC4 with zero downtime since it was
> tagged so it's looking good from what I can tell! :-)

Argh, never run unstable releases on a server so versatile. Please. It's
just /begging/ for trouble.

Baai,

De Zeurkous
-----------

Friggin' Machines!

>
> Regards, Micke
>

-- 
# Proud -net.kook- IRC bot overengineer
% NetBSD, zsh, twm, nvi and roff junkie
From the fool file:
I don't see why the way people have historically partitioned disks should
dictate which kernels we build and distribute by default in the future.
        --Darren Reed (darrenr@NetBSD.org), NetBSD tech-kern