[CLUE-Tech] I need a Linux Firewall

Thu Jul 3 12:28:02 MDT 2003

> I'm setting up a few servers in a new co-location.  Can anyone recommend
> a good Linux firewall solution?  We are trying to cut costs, so I
> thought I would see what is out there before I go buy something horribly
> expensive.

Depending on what you need security wise I would think that a separate
machine would be silly to put a firewall on. Basically you'd be building
a DMZ and then from there I would only accept packets from the firewall
host. Which is silly as you would need to then firewall the individual
machines again on their own. You might as well cut out the middle man
and grow your own fw on each individual machine.

This will be free if you use iptables/ipchains (depending on your
kernel). I would avoid firewall building programs as they really don't
make the best of all firewalls yet. They are a nice start to see where
you need to go, but I wouldn't rely on one working 100% of the time.

The only thing that a fw host would gain you is the ability to scale
back the bandwidth that you'd send out. This would be good if you are
charged by the GB. This can be accomplished with any of the newer
kernels and the /sbin/ip|tc utilities. There is a steep learning curve
to it as well.

http://lartc.org/howto/index.html

That is the Linux Advanced Routing & Traffic Control HOWTO and it will
tell you all about the different queuing disciplines that you can use to
separate and balance the bandwidth that services use. One application
would be to protect yourself from DDoS attacks by scaling back certain
types of pings (xmas and smurf, etc) and then upping the priority of,
say, ssh to interactive so that you can still log in during an attack or
if you have piles upon piles of hits coming in for services.

There is alot that can be done with a simple debian box and a couple of
cheap NICs (I would recommend debian for this purpose as the install can
get down into the 60 mb range vs RedHat which still thinks they need 500
mb at the smallest). As was already mentioned in another posting that
you would most likely need to make sure that you had some failover
safety built into your firewall (ie, two machines with two two port NICs
in them setup with a heartbeat). This stuff gets expensive really quick.
Much like hot rodding cars: how fast do you want to spend?

This is why I suggest just firewalling on each individual machine. At
about four machines it is manageble but there is a point in which the
extra overhead and cost of the fw host(s) makes sense.

There are also some floppy based linux firewall projects out there that
you may want to check out. A simple pentium pro 200 would make a very
fast firewall. Depending on your experience and skill there are some
hardware options that you can look at like the Rebel Router based on
linux.

http://www.imagestream.com/Rebel.html

It will have all the features you need including VPN support for
administration purposes. They have many options on them as well and will
do all of what I have mentioned above.

-- 
JStanley <miah at miah.org>
http://www.slavewage.com/