What Linux Firewall/Router Distribution?

[dave87]

Afternoon all,

The idea is to replace the router I have running with a Linux based firewall router. I have a Jetway J7F2 1.5ghz Via C7 motherboard with 1gb of RAM, which will shortly have 3xGbE and 1x10/100 network ports (having just ordered the 3xGbE daughterboard), so I think I have the hardware covered.

So what software should I be running? Jay - I think you were running pfsense, how are you finding it? Otherwise I'm open to suggestion, so any pointers gratefully received.

Dave

[TheAnimus]

http://m0n0.ch/wall/

I hate the people that think its good security to have a firewall, and then make it run a gabillion things. I've seen people use firewall distros that have java, php and all sorts of needless complexity which of course will have security bugs in them, and reduce the purpose of having a firewall.

So the question is, what do you want the firewall router to be doing?

[dave87]

Firewall & NAT basically. May eventually add VLANs to segregate the network, but not currently in the plan.

I have a WHS and an ESXI host which I can play with other things if required.

[smargh]

I've been using pfsense on an Alix 2D3 for a few years. Works fine - never falls over. I previously used m0n0 for a few years, which (IMO) did better packet shaping and I might switch back to that at some point.

I'm a big fan of one-device-for-one-purpose, so as per TheAnimus, what do you want it to do?

Edit: just saw above post. The hardware you have is probably overkill for a firewall & might waste electricity unnecessarily.

[dave87]

It's the 25w version I've got, so hopefully shouldn't be too bad (left over from an old self built NAS that got replaced by a WHS). That said I've got 80/20 BT Infinity which runs at 75/16, so I wanted to make sure there was enough processing power to deal with that running at full speed (as required).

[TheAnimus]

In that case m0n0wall is definately up your street, small secure and simple.

[dave87]

Perfect, looks like m0n0wall it is then!

[smargh]

By my calculations*, you would save around £22.20 per year if you used an Alix instead of the Jetway, assuming that it actually pulls 25 watts from the wall. It would take 6.7 years to use the savings in electricity, or less if you also sold the Jetway components. Your Jetway probably pulls slightly more than 25W though.



*often wrong

[sha-1]

Why limit yourself to Linux? OpenBSD is the perfect choice for a firewall.

[kopite]

have you looked at vyatta?

I`ve had a bit of a mess with it in work and it seems to be really powerful.

Its router as well as firewall but I like it

[watercooled]

I also really like m0n0wall, simple, stable, not full of bloat or nonsense like uPnP (check the recent security panic) and will run well on pretty much anything. I also have an ALIX board, a 2D13, and CPU usage in % seems to scale close to throughput in Mbps i.e. loading VM's 60Mb download seems to take the CPU to around 60%. This is an AMD Geode LX800 CPU @ 500MHz - your VIA system should have no trouble with Inifnity. CPU load can obviously increase depending on number of rules etc, but unless you have hundreds of custom rules, it shouldn't make much of a difference.

I don't recall ever having to reboot the system through its own fault, and if I hadn't unplugged it for various reasons, or installed new versions, uptime would probably be in the years.

@sha-1 m0n0wall and pfSense are based on FreeBSD.

Edit: Something worth investigating, I'm not sure if m0n0wall supports PowerD (CPU frequency scaling); I know pfSense does, and the option isn't there on m0n0 for me, but some CPUs don't support it so that could explain it. However, if the VIA CPU does support it, and if there's a worthwhile drop in idle power consumption, it may be worth trying to get it working.