Looking for advise on setting up a linux based dedicated firewall.
Apparently, there are plenty:
http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions
I'm looking to have the firewall sit in front of a public network of
windows boxes. Also, would want to be able to load-balance and re-shape
traffic inside the network. I was hoping to accomplish this using
iptables, but if anyone has any other suggestion, I'd love to hear it.
Thanks!
Abdul Nazeer
fwbuilder
PFsense, (being freeBSD-based, comes under your "other" category)
It uses the OpenBSD-based pf firewall, with a web-based GUI for almost
everything (except maybe console resets). works for me in several
locations, some `heavy and high`.
One caveat for the current PFsense: traffic shaping in 1.2.3 release is
somewhat borked (1.2.2 works much better) and it doesn't work with more
than 2 interfaces, so 1 wan - 1 lan is OK.
Check out the user forums for specifics scenario gotchas if any.
There's a good (recent) book about it, covers 1.2.3 release, very good
it is too, with lots of help for multi-wan, VLAN, IPsec, etc etc.
Routes Gigabit nicely with "normal" (pci-e or pci-x) hardware. Check out
the hardware sizing guide for examples.
What I particularly like is the "alias" function, it makes working with
huge groups of IPs easy.
BGPd, etc are all available as packages - you can for example use
minicom to get CLI via the console port into a cisco ADSL router or
local SCADA kit
Been stable for me for a couple of years now, several instances
Oh, did I mention failover ? CARP
Me like 
Gord
PFsense, (being freeBSD-based, comes under your "other" category)
It uses the OpenBSD-based pf firewall, with a web-based GUI for almost
everything (except maybe console resets). works for me in several
locations, some `heavy and high`.
+1 for pfsense. I've been running it for over 18 months with no problems
whatsoever. It does everything I needed it to do, and quite a bit more.
-M
actually, reading back on the nanog list for a few plays (playing
catch-up here) pfsense would have made a good contender for the "best
VPN appliance thread
Gord
I use PFsense 1.2.3 in my office environment with 4 nics, 2 100 mbit
and 2 gigabit. I have different network segments and all are sharing
the same internet connection. It works great and has been online
since we moved into this new office a month ago. I also use it as a
VPN end point for when I need to troubleshoot our network and I am out
and about. It is great and can also do other office type
filtering/monitoring. It has Squid plugins, IMSPector plugins and it
also can do tcpdumps (very useful IMHO)
Ronald Cotoni
Looks interesting. Will give it a shot, thanks!
1. Debian based linux for the firewall box. With Debian you can do a very
light setup.
2. FWBuilder to builder for the GUI front end. It's been around for quite a
long time now and has built in RCS for revision control.
3. Quagga for OSPF routing.. We only had about .. 4-5 firewalls but made a
lot of internal routing changes and OSPF _really_ made things easy when we
made changes
4. OpenVPN for after-hours access and off-site staff access.
Anyway, just my $0.02
--Jim
Microtik makes a pretty robust Linux based firewall
appliance-on-a-usb-stick. It does a lot out of the box like BGP, VPN,
MPLS,QoS and all kinds of other crazy things you wouldn't expect to fit on
one gig of flash. It takes my HP about 10 seconds to load a full table.
My vote is for PFSense though. PF is a lot of fun itself and I have seen
awesome throughput with no load on very low end hardware.
--As of March 11, 2010 4:22:38 PM +0000, gordon b slater is alleged to have said:
One caveat for the current PFsense: traffic shaping in 1.2.3 release is
somewhat borked (1.2.2 works much better) and it doesn't work with more
than 2 interfaces, so 1 wan - 1 lan is OK.
--As for the rest, it is mine.
One more, given the other current thread going on at the moment: The current version of PFsense doesn't support IPv6 through the GUI. (The OS and PF support it, but you have to log in to a shell to configure it.)
It's on their to-do list.
Daniel T. Staal
From: Daniel Staal [mailto:DStaal@usa.net]
Sent: Friday, March 12, 2010 1:37 AM
To: nanog@nanog.org
Subject: Re: Need advise for a linux firewall--As of March 11, 2010 4:22:38 PM +0000, gordon b slater is alleged to
have
said:> One caveat for the current PFsense: traffic shaping in 1.2.3 release
is
> somewhat borked (1.2.2 works much better) and it doesn't work with
more
> than 2 interfaces, so 1 wan - 1 lan is OK.--As for the rest, it is mine.
One more, given the other current thread going on at the moment: The
current version of PFsense doesn't support IPv6 through the GUI. (The
OS
and PF support it, but you have to log in to a shell to configure it.)
That is why we use Debian with IPtables (works great, easy to manage).
Deploying anything now that doesn't fully support IPv6 is something I won't
do unless there is no other option (and I strongly advice everyone else to
be at least IPv6 ready).
It's on their to-do list.
Daniel T. Staal
---------------------------------------------------------------
This email copyright the author. Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes. This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---------------------------------------------------------------
Sorry, legally I am allowed to do that by local laws.
Regards, Mark
Can't go wrong with RouterOS. The whole OS will boot on a 32meg drive
if you needed it too. Contact us if you need hardware/software