Difference between revisions of "Build your own Advanced Open Source Linux Router Firewall"
(Created page with "= Purpose = My co-worker didn't trust his existing router firewall. Why should you? Additionally, he wanted to monitor hardware on his internal network. For example, this dev...")
Latest revision as of 18:57, 30 July 2019
My co-worker didn't trust his existing router firewall. Why should you?
Additionally, he wanted to monitor hardware on his internal network. For example, this device can help verify a Synology NAS has benign behavior (or not).
To that end I built this project code named Cervin, which is the French/Swiss name for Matterhorn.
Prices as of 2016-03-11
- Motherboard & Processor - Jetway NF9HQL-525 Atom D525 Quad-LAN Thin Mini-ITX Motherboard, DC Power Onboard - $189.00
- RAM - Crucial 4GB Kit (2GBx2) DDR3/DDR3L 1066 MT/s (PC3-8500) SODIMM 204-Pin Mac Memory CT2K2G3S1067M / CT2C2G3S1067M - $32.50
- SSD Hard Drive - Premier Pro SP310 SATA 6Gb/s mSATA Solid State Drive ASP310S3-64GM-C - $37.99
- Enclosure - M350 Universal Mini-ITX PC enclosure PicoPSU compatible - $38.95
- Power Supply - Sabrent AD-LCD12 LCD Monitors 12V 6A 72W AC Adapter Power Supply $8.80
Hardware Total cost before S/H: $307.24
Used Rufus to write ISO image to bootable USB media.
- IPTables rule set with anti-port scan, trip port, restrict, and watch features.
- Restrict feature allows you to restrict hosts on the internal network from reaching the internet.
- Watch feature allows you to monitor untrusted hardware on your internal network to see its' behavior. This can be analyzed in ELK Stack.
- DNS Server for name resolution & local DNS cache (i.e. faster resolution for commonly accessed sites)
- DHCP Server for dynamic IP address leasing
- QoS traffic shaping
- Openvpn in bridged mode
- IDS using Suricata, Barnyard2, and Snorby
- ELK Stack for log analytics
- Automated updates
- Menu to edit configuration
- Support for VLAN Tagging for use with Centrylink FTTH (VLAN 201)
- Better support for IPv6
- Variablize parameters so Menu configuration can make changes that descend through all configurations (e.g. Only need to make a single change for an IPAddress and changes reflect in interfaces file, firewall script, and Unbound DNS configuration).
- ELK Stack was disabled when IDS was enabled. Both are resource intensive (ELK Stack more so). Thus, it makes sense to have the router ship the files using FileBeat to a remote ELK instance with a lot of horsepower. I have not yet built or documented this configuration.
- Installing and configuring Openvpn in bridged mode
- Installing and configuring ELK Stack (ElasticSearch, Logstash, Kibana) for iptables
- Installing and Configuring Exim4 for Gmail SMTP Relay
- Installing and Configuring Suricata+Snorby+Barnyard2 - ELK Stack was disabled when IDS was enabled.
Once built, the default fan configuration for this device is set to be rather noisy. To fix this, enter the BIOS (DEL key at boot) -> PC Health Status -> Smart FAN Configurations -> CPUFAN Smart Mode Enable -> ESC and Save & Exit Setup.