Linux Firewall/Router

cmt9000 · 10-11-2005, 12:08 PM

Apparently people think I'm crazy....

I want to replace my Cisco PIX 506e firewall and generic router with one, high-end linux machine that will be the router and firewall.

Am I really nuts???

Keruskerfuerst · 10-11-2005, 12:34 PM

Hello!

Just visit www.ipcop.org

Greetings

Imanerd · 10-11-2005, 02:25 PM

Also check out m0n0wall. It's FreeBSD-based (rather than Linux), but it works great, doesn't require high-end hardware, and is very easy to set up and use.

IRIGHTI · 10-11-2005, 06:58 PM

Also:

www.smoothwall.org

You don't need a very powerful system to be a firewall/router. A P200 would be more than enough, unless you get a rediculous amount of traffic e.i 1 Gbit.

Or if you want to build your rules yourself, which I would recommend:

http://iptables-tutorial.frozentux.n...-tutorial.html

That is the best Iptables tutorial out there. They also give you an example to go off of, which is what my firewall was originally. Its been hacked up since then though.

linux.llama · 10-12-2005, 04:13 PM

Hey
I'm preferential to Shorewall. I dunno how it compares to m0n0 or ip cop tho. But with all the exploits in IOS lately, i would not blame you for dropping the Cisco gear. Even if they are mad expensive.

makko · 10-13-2005, 09:56 AM

Id recomend you read as many tutorials on IPTables as you can and when confident build the firewall/router from scratch. Its the only way to make the firewall/router exactly as you want it. + you will be able to troubleshoot it incase of glitches. Then make a script to add the rules after every reboot.

doublejoon · 10-13-2005, 01:09 PM

I imagine http://www.fwbuilder.org/ would make you feel comfortable coming from Cisco

int0x80 · 10-18-2005, 09:12 AM

No, you are not nuts. In fact, we've had less problems administering and managing Linux iptables firewalls. Nothing against Cisco, but we've had several Pix firewalls fail on us, hardware or otherwise. There's nothing wrong with using a Linux iptables firewall, in fact they are all over the place in enterprise environments.

colin7151 · 10-20-2005, 09:41 PM

I'd have to go with Monowall. Its got a small footpring, extermely secure, and has a fantastic UI for creating and managing the box.

ravee · 10-22-2005, 09:55 AM

Cisco is hardware based firewall which is more robust and used expecially in high traffic network environment. Where as using linux as a router is a software based solution. If your network has significantly less traffic , then it is more effective and less costly to embrace linux.

IRIGHTI · 10-22-2005, 01:54 PM

That brings up a good point. Even though there are software and hardware firewalls. You have to use those terms loosely because the hardware firewall has to have software i.e. firmware. And since iptables is on the kernel level, isn't a linux firewall pretty close to a hardware firewall?

I'm just curious. Because the kernel administers the rules before it even reaches the user space, right?

Imanerd · 10-22-2005, 02:11 PM

That is a good point. I think quite a few "hardware" firewalls actually use a version of linux or BSD.

mago · 10-23-2005, 11:52 AM

As a matter of fact you can try to go a step further and buid a bridge firewall that will not be accessible from the outisde as a first line of defense.

You will have your machines with public ips but totally firewalled, or you can put just anothe machine after the bridge so you won't have to worry about loosing your main line of defense.