Looking for advise on setting up a linux based dedicated firewall. Apparently, there are plenty: http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions I'm looking to have the firewall sit in front of a public network of windows boxes. Also, would want to be able to load-balance and re-shape traffic inside the network. I was hoping to accomplish this using iptables, but if anyone has any other suggestion, I'd love to hear it. Thanks! Abdul Nazeer
try http://www.zeroshell.net/eng/ 2010/3/11 Abdul Nazeer <voipuser@optonline.net>:
Looking for advise on setting up a linux based dedicated firewall. Apparently, there are plenty:
http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions
I'm looking to have the firewall sit in front of a public network of windows boxes. Also, would want to be able to load-balance and re-shape traffic inside the network. I was hoping to accomplish this using iptables, but if anyone has any other suggestion, I'd love to hear it.
Thanks! Abdul Nazeer
On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote:
iptables, but if anyone has any other suggestion, I'd love to hear it.
PFsense, (being freeBSD-based, comes under your "other" category) It uses the OpenBSD-based pf firewall, with a web-based GUI for almost everything (except maybe console resets). works for me in several locations, some `heavy and high`. One caveat for the current PFsense: traffic shaping in 1.2.3 release is somewhat borked (1.2.2 works much better) and it doesn't work with more than 2 interfaces, so 1 wan - 1 lan is OK. Check out the user forums for specifics scenario gotchas if any. There's a good (recent) book about it, covers 1.2.3 release, very good it is too, with lots of help for multi-wan, VLAN, IPsec, etc etc. Routes Gigabit nicely with "normal" (pci-e or pci-x) hardware. Check out the hardware sizing guide for examples. What I particularly like is the "alias" function, it makes working with huge groups of IPs easy. BGPd, etc are all available as packages - you can for example use minicom to get CLI via the console port into a cisco ADSL router or local SCADA kit Been stable for me for a couple of years now, several instances Oh, did I mention failover ? CARP Me like :) Gord -- rockin ze bedroom
PFsense, (being freeBSD-based, comes under your "other" category) It uses the OpenBSD-based pf firewall, with a web-based GUI for almost everything (except maybe console resets). works for me in several locations, some `heavy and high`.
+1 for pfsense. I've been running it for over 18 months with no problems whatsoever. It does everything I needed it to do, and quite a bit more. -M
On Thu, 2010-03-11 at 09:01 -0800, Marty Anstey wrote:
+1 for pfsense. I've been running it for over 18 months with no problems whatsoever. It does everything I needed it to do, and quite a bit more.
actually, reading back on the nanog list for a few plays (playing catch-up here) pfsense would have made a good contender for the "best VPN appliance thread :) Gord -- ALERT: kitchen-sensor-03 reports over-temp
On Thu, Mar 11, 2010 at 12:06 PM, gordon b slater <gordslater@ieee.org> wrote:
On Thu, 2010-03-11 at 09:01 -0800, Marty Anstey wrote:
+1 for pfsense. I've been running it for over 18 months with no problems whatsoever. It does everything I needed it to do, and quite a bit more.
actually, reading back on the nanog list for a few plays (playing catch-up here) pfsense would have made a good contender for the "best VPN appliance thread :)
Gord
-- ALERT: kitchen-sensor-03 reports over-temp
I use PFsense 1.2.3 in my office environment with 4 nics, 2 100 mbit and 2 gigabit. I have different network segments and all are sharing the same internet connection. It works great and has been online since we moved into this new office a month ago. I also use it as a VPN end point for when I need to troubleshoot our network and I am out and about. It is great and can also do other office type filtering/monitoring. It has Squid plugins, IMSPector plugins and it also can do tcpdumps (very useful IMHO) Ronald Cotoni
On 03/11/2010 11:22 AM, gordon b slater wrote:
On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote:
iptables, but if anyone has any other suggestion, I'd love to hear it.
PFsense, (being freeBSD-based, comes under your "other" category) It uses the OpenBSD-based pf firewall, with a web-based GUI for almost everything (except maybe console resets). works for me in several locations, some `heavy and high`.
Looks interesting. Will give it a shot, thanks!
On Thu, Mar 11, 2010 at 11:56 PM, Abdul Nazeer <voipuser@optonline.net>wrote: > On 03/11/2010 11:22 AM, gordon b slater wrote: > > On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote: > > > > > >> iptables, but if anyone has any other suggestion, I'd love to hear it. > >> > > PFsense, (being freeBSD-based, comes under your "other" category) > > It uses the OpenBSD-based pf firewall, with a web-based GUI for almost > > everything (except maybe console resets). works for me in several > > locations, some `heavy and high`. > > > Looks interesting. Will give it a shot, thanks! > > For a very long time I used the following setup with great success: 1. Debian based linux for the firewall box. With Debian you can do a very light setup. 2. FWBuilder to builder for the GUI front end. It's been around for quite a long time now and has built in RCS for revision control. 3. Quagga for OSPF routing.. We only had about .. 4-5 firewalls but made a lot of internal routing changes and OSPF _really_ made things easy when we made changes 4. OpenVPN for after-hours access and off-site staff access. Anyway, just my $0.02 --Jim
Microtik makes a pretty robust Linux based firewall appliance-on-a-usb-stick. It does a lot out of the box like BGP, VPN, MPLS,QoS and all kinds of other crazy things you wouldn't expect to fit on one gig of flash. It takes my HP about 10 seconds to load a full table. My vote is for PFSense though. PF is a lot of fun itself and I have seen awesome throughput with no load on very low end hardware. On Thu, Mar 11, 2010 at 1:45 PM, Jim Miller <stljim@gmail.com> wrote: > On Thu, Mar 11, 2010 at 11:56 PM, Abdul Nazeer <voipuser@optonline.net > >wrote: > > > On 03/11/2010 11:22 AM, gordon b slater wrote: > > > On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote: > > > > > > > > >> iptables, but if anyone has any other suggestion, I'd love to hear it. > > >> > > > PFsense, (being freeBSD-based, comes under your "other" category) > > > It uses the OpenBSD-based pf firewall, with a web-based GUI for almost > > > everything (except maybe console resets). works for me in several > > > locations, some `heavy and high`. > > > > > Looks interesting. Will give it a shot, thanks! > > > > For a very long time I used the following setup with great success: > 1. Debian based linux for the firewall box. With Debian you can do a very > light setup. > 2. FWBuilder to builder for the GUI front end. It's been around for quite > a > long time now and has built in RCS for revision control. > 3. Quagga for OSPF routing.. We only had about .. 4-5 firewalls but made a > lot of internal routing changes and OSPF _really_ made things easy when we > made changes > 4. OpenVPN for after-hours access and off-site staff access. > > Anyway, just my $0.02 > > --Jim >
Can't go wrong with RouterOS. The whole OS will boot on a 32meg drive if you needed it too. Contact us if you need hardware/software :) ----------------------------------------------------------- Dennis Burgess, CCNA, Mikrotik Certified Trainer, MTCNA, MTCRE, MTCWE, MTCTCE, MTCUME Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training - Author of "Learn RouterOS" -----Original Message----- From: Will Clayton [mailto:w.d.clayton@gmail.com] Sent: Thursday, March 11, 2010 5:54 PM To: Jim Miller Cc: Abdul Nazeer; nanog@nanog.org Subject: Re: Need advise for a linux firewall Microtik makes a pretty robust Linux based firewall appliance-on-a-usb-stick. It does a lot out of the box like BGP, VPN, MPLS,QoS and all kinds of other crazy things you wouldn't expect to fit on one gig of flash. It takes my HP about 10 seconds to load a full table. My vote is for PFSense though. PF is a lot of fun itself and I have seen awesome throughput with no load on very low end hardware. On Thu, Mar 11, 2010 at 1:45 PM, Jim Miller <stljim@gmail.com> wrote: > On Thu, Mar 11, 2010 at 11:56 PM, Abdul Nazeer <voipuser@optonline.net > >wrote: > > > On 03/11/2010 11:22 AM, gordon b slater wrote: > > > On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote: > > > > > > > > >> iptables, but if anyone has any other suggestion, I'd love to hear it. > > >> > > > PFsense, (being freeBSD-based, comes under your "other" category) > > > It uses the OpenBSD-based pf firewall, with a web-based GUI for almost > > > everything (except maybe console resets). works for me in several > > > locations, some `heavy and high`. > > > > > Looks interesting. Will give it a shot, thanks! > > > > For a very long time I used the following setup with great success: > 1. Debian based linux for the firewall box. With Debian you can do a very > light setup. > 2. FWBuilder to builder for the GUI front end. It's been around for quite > a > long time now and has built in RCS for revision control. > 3. Quagga for OSPF routing.. We only had about .. 4-5 firewalls but made a > lot of internal routing changes and OSPF _really_ made things easy when we > made changes > 4. OpenVPN for after-hours access and off-site staff access. > > Anyway, just my $0.02 > > --Jim >
On Thu, Mar 11, 2010 at 11:26 AM, Abdul Nazeer <voipuser@optonline.net> wrote:
On 03/11/2010 11:22 AM, gordon b slater wrote:
On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote:
iptables, but if anyone has any other suggestion, I'd love to hear it.
PFsense, (being freeBSD-based, comes under your "other" category) It uses the OpenBSD-based pf firewall, with a web-based GUI for almost everything (except maybe console resets). works for me in several locations, some `heavy and high`.
Looks interesting. Will give it a shot, thanks!
Great new book on pfsense as well. http://www.reedmedia.net/books/pfsense/
--As of March 11, 2010 4:22:38 PM +0000, gordon b slater is alleged to have said:
One caveat for the current PFsense: traffic shaping in 1.2.3 release is somewhat borked (1.2.2 works much better) and it doesn't work with more than 2 interfaces, so 1 wan - 1 lan is OK.
--As for the rest, it is mine. One more, given the other current thread going on at the moment: The current version of PFsense doesn't support IPv6 through the GUI. (The OS and PF support it, but you have to log in to a shell to configure it.) It's on their to-do list. Daniel T. Staal --------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
-----Original Message----- From: Daniel Staal [mailto:DStaal@usa.net] Sent: Friday, March 12, 2010 1:37 AM To: nanog@nanog.org Subject: Re: Need advise for a linux firewall
--As of March 11, 2010 4:22:38 PM +0000, gordon b slater is alleged to have said:
One caveat for the current PFsense: traffic shaping in 1.2.3 release is somewhat borked (1.2.2 works much better) and it doesn't work with more than 2 interfaces, so 1 wan - 1 lan is OK.
--As for the rest, it is mine.
One more, given the other current thread going on at the moment: The current version of PFsense doesn't support IPv6 through the GUI. (The OS and PF support it, but you have to log in to a shell to configure it.)
That is why we use Debian with IPtables (works great, easy to manage). Deploying anything now that doesn't fully support IPv6 is something I won't do unless there is no other option (and I strongly advice everyone else to be at least IPv6 ready).
It's on their to-do list.
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --------------------------------------------------------------- Sorry, legally I am allowed to do that by local laws.
Regards, Mark
participants (12)
-
Aaron Urbain -
Abdul Nazeer -
Bryan Irvine -
Daniel Staal -
Dennis Burgess -
gordon b slater -
Jim Miller -
Mark Scholten -
Marty Anstey -
Mirko Maffioli -
Ronald Cotoni -
Will Clayton