[TriLUG] Slightly-OT: Firewalls
Warren Myers
volcimaster at gmail.com
Mon Apr 18 22:20:46 EDT 2011
Personally, when I've wanted to run something like this at home or in
a lab, I've used m0n0wall (http://m0n0.ch)
On Monday, April 18, 2011, Matt Pusateri <mpusateri at wickedtrails.com> wrote:
> Pfsense is nice for the beginner, but if you need to do things like views for internal and external DNS, it can't be done easily. The problem I had with Pfsense is that I've already run firewall(IPFW,PF), DNS, DHCP, OpenVPN on FreeBSD boxes from scratch, so moving to Pfsense was actually harder for me. I didn't find some of their lingo in the UI intuitive. I was using a 2.0 beta CD though, so it may have been that. But I think it is a good system for the beginner that just wants to pop a CD in and have it do most things for you. The OP should definitely be able to run DHCP, DNS and, VPN, and Firewall on his existing servers from the sounds of it. Whether he uses something like Pfsense or adds the appropriate bits to his existing servers.
>
> Matt P.
>
> On Apr 18, 2011, at 9:40 PM, Ron Kelley wrote:
>
>> For what its worth, pfSense has both DNS and DHCP functions built-in. And, you *can* run snort as long as you have enough horsepower. As mentioned before, I have a *few* pfSense firewalls running in the field that easily handle firewall + ipSec + DNS + DHCP + RRD graphing + SNMP + ... With the right hardware, you can even configure your pfSense box to become a wireless access point.
>>
>> For me, the biggest advantage of pfSense is usability. Once you understand how to configure firewall rules, configuring VIPs, site-to-site ipSec connections, failover pfSense boxes, DDNS, etc become a snap. Plus, there are a ton of add-on packages for pfSense including snort, haproxy, squid proxy, country block, FreeSwitch, ...
>>
>> I used to strictly be a Cisco ASA person until I found pfSense. Now, I must have a very convincing argument to get a Cisco ASA instead of a pfSense box.
>>
>>
>> Oh, did I mention pfSense is free?
>>
>>
>>
>> -Ron
>>
>>
>>
>>
>>
>> On Apr 18, 2011, at 9:23 PM, Matt Flyer wrote:
>>
>>> On Mon, 2011-04-18 at 22:22 +0000, Alexey Toptygin wrote:
>>>> On Mon, 18 Apr 2011, Jonathan Woodbury wrote:
>>>>
>>>>> I'm a big fan of using commodity hardware for firewalls and routers.
>>>>> I personally haven't gotten into a distribution purpose built for this
>>>>> task. Everything I've done has been using Debian and its standard
>>>>> repository of packages, usually iptables/ip6tables, radvd, racoon,
>>>>> ipsec-tools, openvpn, tc, and ntop. The performance was great, the
>>>>> feature set was enormous, and I could backup, monitor, and manage the
>>>>> device just like all the other Linux servers in my network.
>>>>
>>>> This is what I do as well. I usually also run bind for DNS recursion, ISC
>>>> dhcpd3 for handing out DHCP leases, and hostapd and bridge-utils for
>>>> WLANs. Now that I'm familiar with these tools, I find it only takes a few
>>>> hours to whip up a new system from spare parts.
>>>>
>>>> Alexey
>>> First, I would like to thank everyone for their input. I hadn't
>>> considered using a PC for this purpose and didn't even realize that
>>> there are distributions dedicated to this purpose.
>>>
>>> This last response is making me wonder about the feasibility of using
>>> one of the existing servers as the firewall in addition to its other
>>> functions (email and web). I have the two servers already working as
>>> DHCP and DNS servers, backing each other up. The traffic load is such
>>> that on average I am using a fraction of one percent of the server
>>> capability. (On the one machine I may increase the memory a little bit,
>>> but in shear throughput it isn't even sweating). It looks like the
>>> requirements are rather modest. pfSense calls for 200MHz processor and
>>> 128Mb of memory. ClearOS is a little more intensive suggesting a 1 Gig
>>> processor with 512Mb-1Gig of ram for 5-10 years. It points out that
>>> intrusion detection is a little intensive, so it may not be wise to run
>>> snort on the same machine as the firewall.
>>>
>>>
>>>
>>> --
>>> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>
>> --
>> This message was sent to: M. Pusateri <mpusateri at wickedtrails.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/mpusateri%40wickedtrails.com
>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> This message was sent to: Warren <volcimaster at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/volcimaster%40gmail.com
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
--
Warren Myers
http://warrenmyers.com
http://twitter.com/volcimaster
http://www.linkedin.com/in/warrenmyers
More information about the TriLUG
mailing list