[TriLUG] Slightly-OT: Firewalls
matt at noway2.thruhere.net
Mon Apr 18 21:23:37 EDT 2011
On Mon, 2011-04-18 at 22:22 +0000, Alexey Toptygin wrote:
> On Mon, 18 Apr 2011, Jonathan Woodbury wrote:
> > I'm a big fan of using commodity hardware for firewalls and routers.
> > I personally haven't gotten into a distribution purpose built for this
> > task. Everything I've done has been using Debian and its standard
> > repository of packages, usually iptables/ip6tables, radvd, racoon,
> > ipsec-tools, openvpn, tc, and ntop. The performance was great, the
> > feature set was enormous, and I could backup, monitor, and manage the
> > device just like all the other Linux servers in my network.
> This is what I do as well. I usually also run bind for DNS recursion, ISC
> dhcpd3 for handing out DHCP leases, and hostapd and bridge-utils for
> WLANs. Now that I'm familiar with these tools, I find it only takes a few
> hours to whip up a new system from spare parts.
First, I would like to thank everyone for their input. I hadn't
considered using a PC for this purpose and didn't even realize that
there are distributions dedicated to this purpose.
This last response is making me wonder about the feasibility of using
one of the existing servers as the firewall in addition to its other
functions (email and web). I have the two servers already working as
DHCP and DNS servers, backing each other up. The traffic load is such
that on average I am using a fraction of one percent of the server
capability. (On the one machine I may increase the memory a little bit,
but in shear throughput it isn't even sweating). It looks like the
requirements are rather modest. pfSense calls for 200MHz processor and
128Mb of memory. ClearOS is a little more intensive suggesting a 1 Gig
processor with 512Mb-1Gig of ram for 5-10 years. It points out that
intrusion detection is a little intensive, so it may not be wise to run
snort on the same machine as the firewall.
More information about the TriLUG