| View previous topic :: View next topic |
| Author |
Message |
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5213
|
 Posted: Sun Mar 04, 2007 10:16 pm Post subject: [hiatus] routoo - gentoo router distro |
 |
|
hello,
i've always wanted to make a gentoo router distro similar to smoothwall, but i'm not really a coder. i guess what i'm really asking for is help. 
idea plotline:
1) take a copy of the portage tree, and strip out all gui stuff, all non-networking apps, basically... a lot.
2) build a web interface.
3) keep our tree working, and build special use flags for add-on options like QoS, squid, snort, and whatnot.
any takers? i can run the website and the rsync server, if anyone is interested in taking on such a feat.
cheers
edit: please see page 3 regarding hiatus information.
_________________
goodbye fgo. it was nice knowing you.
Last edited by bunder on Thu May 24, 2007 11:18 am; edited 1 time in total |
|
| Back to top |
|
 |
TheCoop
Veteran
Joined: 15 Jun 2002
Posts: 1814
Location: Where you least expect it
|
| Posted: Sun Mar 04, 2007 11:33 pm Post subject: |
|
|
having gcc (and hence gentoo) on an internet-accessible router is a baaaad move. At least have a hardware firewall (ie linksys-esque router) between it and the Big Bad Internet
You can already have a gentoo router system - use the 'server' profile (which doesnt have X & other unneeded USE flags set), set which flags you do need, do an emerge --depclean to remove everything you dont need, then install shorewall or whatever & configure it correctly.
_________________
95% of all computer errors occur between chair and keyboard (TM)
"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler
Change the world - move a rock |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5213
|
| Posted: Mon Mar 05, 2007 12:07 am Post subject: |
|
|
| TheCoop wrote: | having gcc (and hence gentoo) on an internet-accessible router is a baaaad move. At least have a hardware firewall (ie linksys-esque router) between it and the Big Bad Internet
You can already have a gentoo router system - use the 'server' profile (which doesnt have X & other unneeded USE flags set), set which flags you do need, do an emerge --depclean to remove everything you dont need, then install shorewall or whatever & configure it correctly. |
i hate to start an argument with you, but i don't feel having gcc on a router is any more insecure than having gcc on a server. please take the fud somewhere else.  (i also never said whether or not bindist was a viable option, which i suppose it should be for minimal hardware setups)
as for using the server profile, it's not good enough. neither is preventing x11-* kde-* gnome-* from being synced. the reason for having a separate tree is to also ensure the addons work with each other.
_________________
goodbye fgo. it was nice knowing you. |
|
| Back to top |
|
|
TheCoop
Veteran
Joined: 15 Jun 2002
Posts: 1814
Location: Where you least expect it
|
| Posted: Mon Mar 05, 2007 12:13 am Post subject: |
|
|
whats wrong with having x11 ebuilds in the local portage tree you've got, if they're not installed?
_________________
95% of all computer errors occur between chair and keyboard (TM)
"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler
Change the world - move a rock |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5213
|
| Posted: Mon Mar 05, 2007 12:15 am Post subject: |
|
|
| TheCoop wrote: | | whats wrong with having x11 ebuilds in the local portage tree you've got, if they're not installed? |
they slow down portage, and even if i tell rsync to ignore them, some packages will still have mentions of them... which i don't want. i'd rather take my own tree and strip it down to nothing.
_________________
goodbye fgo. it was nice knowing you. |
|
| Back to top |
|
|
Monkeh
Veteran
Joined: 06 Aug 2005
Posts: 1656
Location: England
|
| Posted: Mon Mar 05, 2007 5:37 am Post subject: |
|
|
| TheCoop wrote: | | having gcc (and hence gentoo) on an internet-accessible router is a baaaad move. |
How, exactly? gcc is a program. It's no danger unless people can, y'know, gain access to the machine and run it. At which point your security is compromised anyway. |
|
| Back to top |
|
|
vipernicus
Veteran
Joined: 17 Jan 2005
Posts: 1462
Location: Your College IT Dept.
|
| Posted: Mon Mar 05, 2007 6:18 am Post subject: |
|
|
Properly setup zimbra console is a necessity.
For security, go with the selinux profile.
Compile for size.
Use ck-server kernel patch.
Grsecurity and PAX combo.
TUX web server.
_________________
Viper-Sources Maintainer || nesl247 Projects || vipernicus.org blog |
|
| Back to top |
|
|
Samoth
Tux's lil' helper
Joined: 07 Jan 2006
Posts: 117
Location: NJ
|
| Posted: Mon Mar 05, 2007 12:52 pm Post subject: Olrp? |
|
|
I would wait till the Open Linux Router Project releases code and port that to gentoo. It is supposed to do many of the things that you mentioned(configuration tool) and you will probably only have to do a little bit of work.
As a side-note, yes, Portage is slowed down by x11/kde/gnome stuff, but I don't see how you are going to remove everything from the tree(10800 ebuilds?).
Having GCC on a server is not a bad idea. You would have to have access to the server in order to do anything with it. OTOH, a problem I thought of, is that(assuming you use antiquated hardware), it might take 6 hours for a, say ssh, vulnerability to be fixed due to compiling. You could of course fix this by distribution binpkgs, but, it would still be a pain..
_________________
The Early Bird may get the worm, but the second mouse gets the cheese. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5213
|
| Posted: Mon Mar 05, 2007 3:02 pm Post subject: Re: Olrp? |
|
|
| Samoth wrote: | As a side-note, yes, Portage is slowed down by x11/kde/gnome stuff, but I don't see how you are going to remove everything from the tree(10800 ebuilds?).
Having GCC on a server is not a bad idea. You would have to have access to the server in order to do anything with it. OTOH, a problem I thought of, is that(assuming you use antiquated hardware), it might take 6 hours for a, say ssh, vulnerability to be fixed due to compiling. You could of course fix this by distribution binpkgs, but, it would still be a pain.. |
i think it's worth the work. i'm gonna start tinkering with a copy of the tree and see how things end up.
_________________
goodbye fgo. it was nice knowing you. |
|
| Back to top |
|
|
Potato Bob
n00b
Joined: 24 Jun 2004
Posts: 37
|
| Posted: Sat Mar 17, 2007 12:32 am Post subject: |
|
|
| hmm... I'm actually doing something similar to this on my free time. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5213
|
| Posted: Sat Mar 17, 2007 3:52 am Post subject: |
|
|
| Potato Bob wrote: | | hmm... I'm actually doing something similar to this on my free time. |
how's it coming along? i started stripping a copy of the tree down, but never really finished. i should be able to get back at it sometime this week.
_________________
goodbye fgo. it was nice knowing you. |
|
| Back to top |
|
|
AllenJB
Veteran
Joined: 02 Sep 2005
Posts: 1282
Location: Ashford, Kent
|
| Posted: Sat Mar 17, 2007 10:01 am Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| bunder wrote: | hello,
i've always wanted to make a gentoo router distro similar to smoothwall, but i'm not really a coder. i guess what i'm really asking for is help.
idea plotline:
1) take a copy of the portage tree, and strip out all gui stuff, all non-networking apps, basically... a lot. |
This can be achieved really easily using rsync features. See http://gentoo-wiki.com/TIP_Exclude_categories_from_emerge_sync
| Quote: |
2) build a web interface.
|
I'd be inclined to search for an existing project and use that - either outright or as a base to work from. Don't reinvent the wheel unnecessarily.
| Quote: |
3) keep our tree working, and build special use flags for add-on options like QoS, squid, snort, and whatnot.
|
What exactly do you want to add that Gentoo doesn't already do? Do you really need a whole distro to do this? In my view it might be far easier to simply create an overlay for Gentoo.
_________________
http://gentoo-wiki.com :: http://lug.org.uk :: http://www.linux.org/groups/ :: User Blogs |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5213
|
| Posted: Sat Mar 17, 2007 10:19 am Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| AllenJB wrote: | | bunder wrote: | hello,
i've always wanted to make a gentoo router distro similar to smoothwall, but i'm not really a coder. i guess what i'm really asking for is help.
idea plotline:
1) take a copy of the portage tree, and strip out all gui stuff, all non-networking apps, basically... a lot. |
This can be achieved really easily using rsync features. See http://gentoo-wiki.com/TIP_Exclude_categories_from_emerge_sync
| Quote: |
2) build a web interface.
|
I'd be inclined to search for an existing project and use that - either outright or as a base to work from. Don't reinvent the wheel unnecessarily.
| Quote: |
3) keep our tree working, and build special use flags for add-on options like QoS, squid, snort, and whatnot.
|
What exactly do you want to add that Gentoo doesn't already do? Do you really need a whole distro to do this? In my view it might be far easier to simply create an overlay for Gentoo. |
1- i'd rather not remove entire categories of the tree if i can help it... unless its like kde-*/gnome-*/x11-*
2- no thanks... i'm not messing with some hacked version of webmin.
3- its not that gentoo doesn't do what i want it to... i want to make building a router easier, without the lack of having to wait for upstream to post patches, or update versions of software used in the distribution. also having my own set of use flags would allow for streamlining mods/addons/customizations, such as QoS or IPv6.
cheers
_________________
goodbye fgo. it was nice knowing you. |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1096
Location: Rep. of Ireland
|
| Posted: Sat Mar 17, 2007 11:10 am Post subject: |
|
|
| vipernicus wrote: | ...
TUX web server. |
TUX is a potential danger on a router of all things, any weaknesses in it exposes the entire kernel to remote attackers, better to use lighttpd or some such instead. |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1096
Location: Rep. of Ireland
|
| Posted: Sat Mar 17, 2007 11:11 am Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| bunder wrote: | 1- i'd rather not remove entire categories of the tree if i can help it... unless its like kde-*/gnome-*/x11-*
2- no thanks... i'm not messing with some hacked version of webmin.
3- its not that gentoo doesn't do what i want it to... i want to make building a router easier, without the lack of having to wait for upstream to post patches, or update versions of software used in the distribution. also having my own set of use flags would allow for streamlining mods/addons/customizations, such as QoS or IPv6.
cheers |
If you had a router overlay up and running that would be great. A working hardened uClibc toolchain would be a welcome. |
|
| Back to top |
|
|
AllenJB
Veteran
Joined: 02 Sep 2005
Posts: 1282
Location: Ashford, Kent
|
| Posted: Sat Mar 17, 2007 11:35 am Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| bunder wrote: |
1- i'd rather not remove entire categories of the tree if i can help it... unless its like kde-*/gnome-*/x11-*
|
If you take a closer look, you can exclude individual packages too. You can also do neat tricks like exclude all packages in a given category, then tell it to only include certain ones.
| bunder wrote: | | AllenJB wrote: | | bunder wrote: |
2) build a web interface. |
I'd be inclined to search for an existing project and use that - either outright or as a base to work from. Don't reinvent the wheel unnecessarily. |
2- no thanks... i'm not messing with some hacked version of webmin. |
...because working on something you hacked up alone is so much better? This is open source. Use it! Stand on the shoulders of giants, or you'll just be stuck reinventing the wheel again.
| bunder wrote: | | AllenJB wrote: | | bunder wrote: |
3) keep our tree working, and build special use flags for add-on options like QoS, squid, snort, and whatnot. |
What exactly do you want to add that Gentoo doesn't already do? Do you really need a whole distro to do this? In my view it might be far easier to simply create an overlay for Gentoo. |
3- its not that gentoo doesn't do what i want it to... i want to make building a router easier, without the lack of having to wait for upstream to post patches, or update versions of software used in the distribution. also having my own set of use flags would allow for streamlining mods/addons/customizations, such as QoS or IPv6. |
I don't see how that excludes you from using an overlay. You can do all of that using an overlay. I think you underestimate how flexible overlays allow you to be.
_________________
http://gentoo-wiki.com :: http://lug.org.uk :: http://www.linux.org/groups/ :: User Blogs |
|
| Back to top |
|
|
Potato Bob
n00b
Joined: 24 Jun 2004
Posts: 37
|
| Posted: Sun Mar 18, 2007 9:31 pm Post subject: |
|
|
| bunder wrote: | | Potato Bob wrote: | | hmm... I'm actually doing something similar to this on my free time. |
how's it coming along? i started stripping a copy of the tree down, but never really finished. i should be able to get back at it sometime this week. |
It's coming along slow atm, unfortunately I don't get as much free time as I would like to. At the moment I am focusing on the web interface which is written from scratch in php (I should of used perl, but the reason I started this project was to spend some time with php). I've decided to target high-end hardware, so the general setup is a configuration backend which handles the jailed services. Being that all configuration is done from a backend daemon, multiple clients can be implemented (web, cmd, desktop).
Basically it is a mixture of the astaro firewall distro and the clarkconnect server/gateway distro. I am still not sure whether to keep portage intact (bye bye gentoo  ), but probably limit it to only approved packages to keep the system stable and manageable by the config backend.
This pretty much goes beyond gentoo becoming a distro of its own. () |
|
| Back to top |
|
|
steveL
Veteran
Joined: 13 Sep 2006
Posts: 1441
Location: The Peanut Gallery
|
| Posted: Mon Mar 19, 2007 10:36 am Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| bunder wrote: | i've always wanted to make a gentoo router distro similar to smoothwall, but i'm not really a coder. i guess what i'm really asking for is help. :lol:
1) take a copy of the portage tree, and strip out all gui stuff, all non-networking apps, basically... a lot.
2) build a web interface.
3) keep our tree working, and build special use flags for add-on options like QoS, squid, snort, and whatnot.
any takers? i can run the website and the rsync server, if anyone is interested in taking on such a feat. |
I'm up for it! ;) I can code most langs; no experience of perl tho apart from glancing at code. Just spent 6 weeks learning bash (with a little help ;) which is handy for a gentoo-based distro.
I would use RSYNC_EXCLUDES as suggested by others to make our local tree, which can be used as the rsync source.
Anyone else wanna join in? I'm dying to show ciaranm that actually some of the `peanut-gallery' are quite capable. I'd also love to do a gentoo-based distro. |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1096
Location: Rep. of Ireland
|
| Posted: Mon Mar 19, 2007 10:47 am Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| steveL wrote: | | I would use RSYNC_EXCLUDES as suggested by others to make our local tree, which can be used as the rsync source. |
I'd be inclined not to do that, some of the router stuff is broke (hardened uClibc stuff especially). There's a lot of other base network tools that are also broke with any hardened toolchain (iproute2 for e.g. is broke period). It would be better to branch and improve, submit fixes to b.g.o for application to the main tree, but as it stands, the gentoo-portage tree isn't in a good shape for this application. |
|
| Back to top |
|
|
steveL
Veteran
Joined: 13 Sep 2006
Posts: 1441
Location: The Peanut Gallery
|
| Posted: Mon Mar 19, 2007 10:58 am Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| AidanJT wrote: | | steveL wrote: | | I would use RSYNC_EXCLUDES as suggested by others to make our local tree, which can be used as the rsync source. |
I'd be inclined not to do that, some of the router stuff is broke (hardened uClibc stuff especially). There's a lot of other base network tools that are also broke with any hardened toolchain (iproute2 for e.g. is broke period). It would be better to branch and improve, submit fixes to b.g.o for application to the main tree, but as it stands, the gentoo-portage tree isn't in a good shape for this application. |
I hear what you're saying about some of the ebuilds; I don't see how that means we shouldn't use the portage tree. After all, if we had issues with an ebuild not working, we'd submit our patches to gentoo. What's the issue? |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1096
Location: Rep. of Ireland
|
| Posted: Mon Mar 19, 2007 2:02 pm Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| steveL wrote: | | I hear what you're saying about some of the ebuilds; I don't see how that means we shouldn't use the portage tree. After all, if we had issues with an ebuild not working, we'd submit our patches to gentoo. What's the issue? |
If upstream break an ebuild, it breaks the system, gentoo-portage isn't stable and tested well enough for this purpose. Routers need to be rock solid stable. |
|
| Back to top |
|
|
steveL
Veteran
Joined: 13 Sep 2006
Posts: 1441
Location: The Peanut Gallery
|
| Posted: Mon Mar 19, 2007 3:44 pm Post subject: Re: routoo - gentoo router distro - ideas and suggestions |
|
|
| AidanJT wrote: | | If upstream break an ebuild, it breaks the system, gentoo-portage isn't stable and tested well enough for this purpose. Routers need to be rock solid stable. |
Sure, and we'd spot that in testing. |
|
| Back to top |
|
|
thedangerouscrew
Tux's lil' helper
Joined: 03 Nov 2004
Posts: 98
|
| Posted: Mon Mar 19, 2007 9:24 pm Post subject: |
|
|
I allways wanted something like this. My idea is to use Shorewall and Webmin to accomplish this.
As far as portage goes I'm going to worry about it after I have my proof of concept done. I'll be starting
my attempt tonight.
_________________
http://www.welcome-to-planetx.com |
|
| Back to top |
|
|
steveL
Veteran
Joined: 13 Sep 2006
Posts: 1441
Location: The Peanut Gallery
|
| Posted: Mon Mar 19, 2007 10:23 pm Post subject: |
|
|
| ++thedangerouscrew |
|
| Back to top |
|
|
Potato Bob
n00b
Joined: 24 Jun 2004
Posts: 37
|
| Posted: Tue Mar 20, 2007 2:48 am Post subject: |
|
|
| thedangerouscrew wrote: | I allways wanted something like this. My idea is to use Shorewall and Webmin to accomplish this.
As far as portage goes I'm going to worry about it after I have my proof of concept done. I'll be starting
my attempt tonight. |
 Kinda pointless when you can just created a quick hardened gnap install with webmin and shorewall |
|
| Back to top |
|
|
|
Gentoo Chat
