[Suns-at-Home] Building new server

Ahmed Ewing aewing@gmail.com
Mon, 5 Feb 2007 16:13:41 -0500 

On 2/5/07, Brian Costello <costellob@asme.org> wrote:
> I just got my hands on a pair or Sunfire V100 servers and plan to use
> one to replace my trusty old SS20 that has been my mail/web/ftp server
> as well as my firewall/NAT router. The other V100 will be a spare which
> is what I have now with an extra SS20 in case or a major failure. Back
> when I set up the SS20 (circa 1998) that was the only way for me to have
> a NAT capable router for a reasonable cost. When the plethora of low
> cost DSL / cable switch/routers came on the market, I kept the SS20 in
> place instead of using one of those. Now that I finally plan to upgrade,
> I am looking for some advice on whether I should use the V100 as a
> firewall or use my Linksys 4 port wireless switch/router for that. My
> question to the group is whether the port forwarding on typical routers
> will allow a server on the internal network to work as it does now. I
> need the server for the services above except the firewall/router.

If it's a Linksys WRT54G or WRT54GS, I have great news. Check the
bottom label to see what specific version it is--if you are lucky
enough to have any version prior to v5 (or a WRT54GL, keep reading),
the router is running code in firmware which is open-source[1] and can
be updated with a variety of custom firmware images--DD-WRT
(http://www.dd-wrt.com/) is my personal favorite, but there are
others. What they all have in common is the ability to make your
little router appliance *much* more powerful than it was intended to
be. Everything from SSH server/client to NFS export mounting, WDS
repeater mesh functionality and even boosting the antenna signal
strength by orders of magnitude (don't tell the FCC) is possible. So
suffice it to say, most individual's firewall rule needs can be
addressed by it as well.

If you have a v5 or later, they switched to VxWorks for the firmware
to cut costs, so the well-known hacks don't work.[2] They remained
good sports about it, though, creating the WRT54GL which is, for all
intents and purposes, the original Linux-powered WRT54G, albeit at a
slight price markup for those willing to pay for the hackability. I'd
sooner get a used v4-or-earlier one. My two were obtained for $10 and
$20, respectively.

The wikipedia page is a great starting point with lots of info,
including an extensive list of third-party firmware and Linux distro
projects: http://en.wikipedia.org/wiki/WRT54G

One final word of advice: it's generally not a very good idea to use a
firewall box for anything besides a firewall if you can avoid
it--every additional daemon/service running on it represents a
possible compromise to security. Best practice would be a firewall
that runs on a dedicated, hardened platform. All the more reason to
look into hot-rodding your Linksys. :-)

Hope that helps,

-A

[1] Apparently Linksys was using GPL'd Linux code without attribution;
after acquiring the company, Cisco noted this during a code review and
published the source shortly thereafter. Hackers wasted no time in
doing the rest. Thanks Linksys! ;-)

[2] Actually, there's even a way to hack these too--much less elegant,
but apparently it does work. See here:
http://linuxdevices.com/news/NS6352077661.html