At the office we’ve been using a Microsoft ISA firewall on an old Pentium II computer. I’ve always hated it because, while secure, it seemed like a waste. I’d rather use that Windows licence on a file server and change out the firewall for a lean, mean, dedicated hardware machine.
As luck would have it, the drive on that old computer failed and I spent the weekend putting a new one together. If I disliked ISA before, I really dislike it today.
A co-geek of mine said I should check out m0n0wall. It’s a BSD based solution that can run on tiny embedded pc’s. Looks interesting. If anything I think I’ll build one for my home network.
Anyone out there with other hardware firewalls I should look into?
Sort of. We have a handful of VPN users (auth via radius at the moment), a mail server, a web server and our domain controller is already acting as the DHCP server. I’d like to drop another server behind this wall as well.
What I’d really like to provide is site to site VPN. Right now we can’t do that. I decided to build two monowall firewalls using the net4501. I ordered two of them today and picked up a couple of 256mb compact flash cards for the drives.
I’m going to configre one at my office and one at my house. I’ll connect a VPN between the two and play with it. If anything the monowall should support my needs for now (it’s more then enough for my home use). If I end up needing more then I’ll look at another option for our office network and put that monowall to use for our wireless internet access (which is outside of our office network). I dig the captive portal function. That will make things easier when clients need internet access on their laptops.
At $200 bucks and a few hours labour, I won’t be out much if it doesn’t fit our needs.
I’m still interested in hearing what other dopers have been using.
I thought I’d follow up on this thread for the hell of it.
I’ve built my two monowall firewalls using the Soekris net 4501 hardware. Putting the thing together, writing the software to the flash card and getting it up and running was a piece of cake. Configuration for my home system was straight forward. No problems.
I’m installing the one at the office tomorrow.
From what I can tell so far it is a damn good solution. My final price for each machine cost about $230.
Say, for instance, you have a corporate website…you want it inside the firewall to protect it against maliciousness, but you still need to let Web requests in. No big deal, any home firewall solution will do that.
But now you look at the logs and realize you’re seeing a lot of traffic from China. This is wierd because you have a Lawncare business…China isn’t in your customer base.
With a more capabile solution you can block port 80 from anything in China’s IP address space.
It has 3, 100’s. I think all the Soekris boards are 100 mbit.
It does have one PCI so I could add a 1000 if needed.
I don’t need 1000 mbit at the office. All our switches are 100’s at the moment.
The one in the office is up and running. The VPN options on this are pretty good. You can set up 16 users at a time and there’s a hack to allow 50. VPN users can use the monowall user/pass list (which you add through the monowall web admin) or users can auth via a radius server on the LAN - which is how mine is configured.
At the end of the day I set it up so VPN users end up receiving a different block of IP’s then the internal LAN. Monowall forwards them into the LAN block so they can move around.
The VPN IP’s have a whole different set of rules then the regular LAN to WAN or WAN to LAN rules. Pretty cool. Lots of options on routing, blocking, and shaping.
This solution has far more features then I expected for only $200-ish bucks.
Cool, I’ve got smoothwall 2.0 running at home, but don’t have it all configured yet…the installation was fiarly easy, and it’s a good product.
I got stymied partway through installing Gibraltar…kind of a chicken and egg problem:
one interface defaults to 10.0.0.X, the other defaults to 10.0.1.X, the only way to manage it is thru the web, so you have to alter ANOTHER computer’s settings to one of those blocks, figure out which interface it’s on (I HATE that about multi nic’d machines), then when you reconfigure a nic you have to rename it to something OTHER than ethX.
Anyway, I’m sure it’s a fine product, I just couldn’t be bothered with the initial configuration. Smoothwall 2.0 doesn’t have traffic shaping and 3.0 alpha is still a little rough around the edges, so I suspect I’ll be making some changes in the future…M0n0wall, believe it or not, won’t boot on the PII I’m using. No clue why.
on the other extreme, my small (20ppl) but decidedly not home office is running a secondhand Cisco PIX-515R. HIGHLY recommended if you need serious throughput and, y’know, an actual firewall but you don’t want to futz with the Linux stuff.
I’m a Linux/Unix admin by trade, and I don’t like configuring it as anything more than a home firewall/router. iptables was written by a mascochistic sufferer of “the clevers” imho.