The general home network setup is like this:

Below are my thoughts on how to improve the network setup. You can stop here if you like.

The above is an undesirable setup. It may not be obvious at first, until you realise that chrysanthemum is my personal machine, which also has to double as a NAT system, DHCP server, web proxy, &c, all things that put it at greater risk of attack.

I try to minimise the risk by making services listen on the internal interface only, and having my packet filter reject requests to services that can't be set up to bind to only one interface. This is more or less a contingency plan in case pohutukawa is compromised. (The DSL router forwards incoming connections only to pohutukawa, and people cannot touch chrysanthemum directly, in theory.)

A more ideal setup would be like this:

The only problem is that I don't, currently, have enough machines for this (I want my personal machine to be behind the firewall, not be the firewall). As such, I'm looking to acquire a low-end machine for this purpose.

The hypothetical gateway machine can be a mere Pentium, and requires just three PCI slots (two network cards, and one internal DSL modem). (Remember, I'm going for cheap hardware, which is why this is focussed on PC hardware.)

(I've finally got around to upgrading pohutukawa to a Celeron 1000. Readers who are wondering about what is happening to the 486 that I mentioned in the previous revision of this document will be pleased to know that it's not going to waste; I intend to turn it into a games machine.)

Note that I'm set on getting rid of the hardware DSL router. I want to have some sort of control over the NAT process: the current DSL router assigns the external ports sequentially, whereas OpenBSD would do it randomly; the current DSL router provides no automatic way of querying the NAT connection map (essential for proper functioning of NAT-aware ident daemons); the current DSL router provides no IPv6 support; and so on.

Ideally, any required drivers for the DSL modem would be open-source; failing that, its specifications should be available. As a last resort, I can reverse-engineer the driver code and write an OpenBSD implementation.