2. How and where to deploy

The Linksys BEFSR41, BEFW11, WRT54G and their siblings are designed to be used as gateway boxes on a home Ethernet. Typically, you'll hook one up to a DSL or cable modem, which will automatically switch into bridge mode and simply pass packets between your ISP's router and the Linksys box.

If you want to use a general-purpose PC running Linux as a firewall, have fun — but these little boxes are more efficient. The nicest thing about them is that they run out of firmware and, assuming you take the elementary precautions we describe, are too stupid to be cracked. Also, they don't generate fan noise or heat. Finally, they run Linux inside and can be customized and hacked in useful ways.

Linksys boxes used to have a good reputation for reliability. Something bad happened to their quality control after Cisco acquired the company in March 2003; I had two go silently dead on me in less than a year, and I heard grumbling from others about similar problems. Unfortunately when I tried other low-end brands (Belkin, Buffalo) they proved to have gross design errors. The Belkin had brain-damage in its firewall rules that interfered with local SMTP, and the Buffalo intermittently refused connections for no apparent reason. So I went back with Linksys, hoping my WRT54G wouldn't turn into a doorstop within a couple of months. As of mid-2006, I've been OK for about 24 months.

(Building one of these puppies is not rocket science. I can only conjecture that the competitive pressure is driving the manufacturers to cut costs to the bone by hiring programmers out of the bottom of the barrel and having the manufacturing done by some low-end contract house in Indonesia or somewhere. The results, alas, tend to be unstable crap. Caveat emptor.)

Note another consequence of the Cisco acquisition: Linksys is now what marketers call a flank guard, a low-end brand designed to protect the margins and brand image of Cisco's commercial-grade networking products. This means that Linksys boxes are no longer acquiring new firmware features, and some old ones like stateful packet inspection almost certainly won't be coming back. Provided you can live within these limits, this is actually good; simpler firmware is more stable firmware. And, in any case, the open-source replacement firnwares can give you back the features abd complexity if you want them.

At minimum, a live Linksys box will do the following things for you:

  1. Act as an Ethernet router. You can plug all your lines and hubs and hosts into it to exchange packets even when your outside link is down.

  2. Act as a smart gateway. When you configure the Linksys with a public static IP address (or tell it to grab a dynamic IP address from your ISP at startup time), it will gateway between hosts on your private network and the Internet, performing all the IP masquerading and address translation required to route your traffic.

  3. Firewall your connection. You can tell it to block out all but the minimum sevice channels you need. You can specify separately, for each service, to which of your internal machines the traffic should be routed.

I give my Linksys box the standard private-network gateway address, I then give all my boxes 192.168.1.x addresses and tell them the Linksys is their gateway. Everything works.