著者: onefang 日付: To: dng 題目: Re: [DNG] What are you using for a firewall/router
On 2024-05-02 19:48:06, Simon wrote: > onefang <onefang_devuan@???> wrote:
>
> >> In the past, I’ve run a Debian box (pre-systemd) and Shorewall.
> >> However, Shorewall is fundamentally linked to iptables which has been replaced by nftables. AIUI there are no plans to rewrite it for nftables, so for now it carries on using the iptables compatibility layer to take iptables commands.
> >>
> >> At some point I’ll be needing to consider alternatives ...
> >
> > I'm in the same position, using Shorewall and soon to be considering
> > nftables based alternatives. "Just use plain nftables" is on the table.
>
> Indeed, with a bit of thought and learning it’s possible to do it at that level. But, for the benefit of those who haven’t worked with Shorewall, that abstracts things in such a way that you can do complicated things in a much nicer way - without abstracting to the point where features start becoming impossible to use.
Well I am your typical graybeard, and I'm really good at learning complex
computer technology. I'll learn a programming language in an hour, so
I'll have no problem with learning raw nftables. But yes, a nice easier
to use system, and still able to deal with complex things, would be
great. Non graphical so I can switch my servers to it as well.
As for what I use outside of the computer...
Here in Australia we have what's called the nbn (yes they re-branded to
all lower case) "national broadband network". A government created
company that is responsible for wiring up the nation with broadband.
Tends to be FTTP, FTTC, FTTN, or HFC. Out in the bush you can get nbn
satellite. The various ISPs then sell services on those.
The nbn equipment usually comes with the buildings, and is owned by nbn,
so has to be left in the building when you move out. That equipment has
one to four Ethernet ports for hooking up to routers. You can get a
different ISP on each Ethernet port.
I've had Fibre To The Bedroom in the past.
I've had to move four times since the beginning of last year. FTTC, HFC,
4G mobile, and now HFC again. Tho mobile was shared over WiFi from an
ISP supplied WiFi router. But that was a crap ISP, things didn't work
well. I knew I wasn't gonna be there for long, so I bought a tp-link
TL-MR6400 4G router, which could also handle Ethernet from whatever
random nbn modem I would find in the next place, and as a bonus I
wouldn't have to worry about getting Internet connected straight away, 4G
is mobile, it goes with me.
I believe it uses a modified version of DD-WRT, and their web site says
I can convert it to proper DD-WRT. Which I intend to do once the dust
has settled from this last move.
Three things worry me about what I suspect are additions by tp-link.
There's some sort of ISP management system built in, but I think that's
coz they sell this same model to ISPs. There's a place to add some sort
of tp-link account, no idea what that does, I never set one up.
Worst of all, some pages in the built in configuration system will check
a DNS lookup of what looks like a Microsoft domain. Those pages will do
that automatically to test if the connection is up. Yesterday the
Internet was failing outside of the ISPs CNAT. My router could get an
IP, but nothing beyond that would respond. Yet that test DNS lookup
would work and the router declared that the Internet was working.
Traceroutes begged to differ. Unless the DNS resolver their CNAT told me
to use was inside the CNAT system, but still it failed at "Internet is
up", it wasn't. Not to mention I'd love to NOT have it checking with
Microsoft, but there's no way to tell it to use some other domain.
So switching to raw DD-WRT sounds even better now that I know these
things, but I had checked I could before buying it, since that was the
plan all along. The original plan wasn't specific to DD-WRT, any other
well known open source router firmware would suffice. Even if that
Microsoft check is still part of raw DD-WRT, I can change the source
code.
Hell I recently found out Firefox-ESR checks every URL with Google, but
at least I could disable that, by changing every single Google URL in the
advanced configuration to something else. Do I have to block Google at
the firewall next?
--
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.