[PLUG] Firewalls
Kris
krisa at subtend.net
Wed Nov 30 02:28:42 UTC 2005
fh hillsboro wrote:
> Anybody using a dedicated Linux box as a firewall? I have built a
> system from my parts pile and it needs something to do. I am currently
> using a SonicWall-10 but it lacks some IP blocking capability and other
> stuff that I want. SO - I'd love to hear the good and bad, the
> recommendations and caveats, etc. Also:
> Which package?
> Hardware requirements?
> Maintenance issues?
I've gone multiple routes for building GNU/Linux firewall systems. I used to
write my own scripts. Then I tried fwbuilder[1] as it was easy to visually see
what was going on for maintaining multiple firewall configs, build and deploy
them. The portability feature was nice with fwbuilder (works for
pf/iptables/pix etc).
Recently I find myself using Shorewall[2]. Easy to setup, and easy to make
changes or expand the system (add another NIC, create a DMZ, or a VPN). I'm
also using it for host(non-routing) firewalls. A bit overkill, but the app
isn't large and it provides a common interface for maintaining a lot of hosts
running iptables. Shorewall also provides a nice way to do QoS(tc).
I'm currently experimenting with keeping shorewall configs in an SVN repository.
I'm trying to find better ways for doing change management on hosts. So far
I've had good results.
All of this has been on a mix of mostly Debian sarge, and a bit of Ubuntu
hedgehog/badger. The benefit of having a full GNU/Linux environment is if I
need to do some analysis, I can install the packages I need, do what I need to
do, and uninstall the packages. The logging capabilities are there too.
Another path I've recently taken is OpenBSD/pf. The code auditing and security
minded techniques appeal to me, and the pf design is powerful. OpenBSD on a
soekris would be perfect.
[1] http://www.fwbuilder.org/
[2] http://www.shorewall.net/
Simple QoS script:
http://lartc.org/wondershaper/
One day I would like to see a bakeoff between a GNU/Linux firewall installed on
a carrier-grade PC, armed with a lot of gig ports, against a PIX and a Netscreen.
More information about the PLUG
mailing list