[TriLUG] Best appliance for Linux firewall?

Dewey Hylton plug at hyltown.com
Fri Aug 16 21:16:41 EDT 2013 

----- Original Message -----
> From: "Steve Litt" <slitt at troubleshooters.com>
> To: trilug at trilug.org
> Sent: Saturday, August 10, 2013 4:33:50 PM
> Subject: Re: [TriLUG] Best appliance for Linux firewall?
> 
> On Sat, 10 Aug 2013 15:58:49 -0400
> bak <bak at picklefactory.org> wrote:
> 
> > 
> > On Aug 10, 2013, at 12:05 PM, Sean Alexandre <sean at alexan.org>
> > wrote:
> > > 
> > > I've been experimenting with this. I haven't found my ideal setup
> > > yet, though. Right now I'm running an Intel Atom box (2 cores)
> > > with
> > > 2 NICs on board, and a PCI card with 2 more NICs (for a WAN, LAN,
> > > and DMZ.) It's more than powerful enough, but consumes about 100w
> > > of power. I'd like to find something smaller, that uses more like
> > > 30w (similar to a small home router.)
> > > 
> > > Ideally I'd like to find a box that:
> > > * Runs Debian with no binary blobs.
> > > * Has 3 NICs
> > > * Wireless
> > > * Low power
> > > * Low noise (no fans)
> > 
> > Soekris 5501?
> > 
> > It's x86, so Debian should be easy enough.  Says it draws 20W.
> > 
> > http://soekris.com/products/net5501.html
> 
> I was salivating over that until I added up all their nickel and
> diming:
> 
> * HD mounting kit
> * HD
> * USB->serial adapt laptop to act as serial console
> * Case
> * Power supply
> 
> I'm also wondering exactly how I'd install OpenBSD on it without a
> CDROM drive -- I know how to thumb-driveize Ubuntu, but OpenBSD might
> be a different matter.
> 
> But yeah, that looks really tempting, especially considering it would
> replace a full size desktop running 24/7, it's got to pay for itself
> in
> a reasonable amount of time.
> 
> Thanks,
> 
> SteveT
> 
> Steve Litt                *  http://www.troubleshooters.com/
> Troubleshooting Training  *  Human Performance

steve, openbsd has worked just fine for me on older soekris hardware. i
did however replace soekris with alix hardware for openbsd-protected
customer sites. i have firewall clusters all over the place now, and
am also doing fully clustered ipsec / ospf / pf configurations that
work very well from coast to coast. for regular office traffic, the
hardware crypto works well with openbsd's in-kernel ipsec stack.

netgate.com will sell you several different alix configurations, most
including monowall or pfsense on a cf card. installing openbsd, for me, 
is as easy as pxe-booting. netgate will also sell you the ubiquity line 
of hardware, mentioned in another message in this thread, which i highly 
recommend as well.

for those who don't need hardware crypto and want real physical nics,
netgate will also sell you the lanner equipment that i use in some
situations. runs pfsense from a cf, has room for a real spinning disk,
and of course runs openbsd just fine (it's atom-based). it has SIX
gigabit ethernet ports and is therefore better in some situations than
the 3-port 100mbps alix boards.

i didn't pipe up until now because the question was centered on linux
firewalls, and i simply don't use linux for that purpose any more. but
openbsd? all the time, all over the place.

-dewey

More information about the TriLUG mailing list