Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
I need a simple to use firewall software in a 100 employee environment.
Firewall should block unnecessary websites, keywords, videos, images, any intrusion as per users and groups (eg: teachers and students). Bandwidth shaping would be a plus.
Please suggest me some.
Go for a hardware or "appliance" solution, Fortigate / FortiOS is good.
Yes, there will be people who are now going to say "use Linux, use SQUID, iptables, etc." which is fine if you want to go down the do it yourself path.
I've a Fortigate FC80 here with about 70 users behind it, and if I want to block "File Swapping" or "Proxy Avoidance" then I define the policy and tick the boxes in the GUI. These lists are updated and maintained by Fortigate so I don't have to keep updating them etc.
For bandwidth shaping, I've 2Mb that's reserved for phones and for web use my general users are in a shared 4Mb and "executive" users are in a shared 8Mb.
If you're determined to go down the "free software" route then SQUID and iptables will be your starting points.
What is the difference between a do it yourself path for iptables/squid/etc and a do it yourself path for Fortigate / FortiOS? Seems to me that both have a (possible steep) learning curve and using Fortigate / FortiOS needs specialized equipment.
Don't get me wrong, your solution might be a good option but the reason why isn't too clear from your post.
Fortigate is a hardware firewall / router device which offers content filtering, website blocking, email and webpage anti-virus scanning, DHCP, VPN server, etc. all with a web interface.
Sometimes paying for a device is more cost / time effective than having a person spend days or weeks building a solution.
Thank you for your reply.
I am looking for a software appliance rather than hardware solution.
Of course, not willing to compile squid, iptables, IPS, etc. from scratch.
My requirement is full control on content filtering and intrusion prevention with simple web interface.
I found some open source software appliances projects giving it a try on my virtual machines.
Like:
I currently run pfsense as a virtual router and firewall and vpn server with snort.
Works really well, 4 cores 4gb ram assigned, wan nic directly passed, dmz, lan, vpn on bridge interface.
Works but have never tried close to 100 users on it. I would rather go dedicated hardware for that many users depending on your throughput requirements.
On my system it saturates 50mpbs down and 25mpbs up that i have with ample cpu and ram left.
My next purchase is a i350 4port intel nic to get rid of the bridge assigning a port to each vm using sr-iov
Last edited by ericson007; 01-14-2014 at 06:38 AM.
I found some open source software appliances projects giving it a try on my virtual machines.
If you've the time and resources for the testing etc. then great! Let us know how you get on as it'll help others
Quote:
Originally Posted by ericson007
Works but have never tried close to 100 users on it. I would rather go dedicated hardware for that many users depending on your throughput requirements.
Any recent hardware will be able to keep up with throughput as generally the WAN link will be the bottleneck.
We also have Juniper SSG firewalls with a web management interface but the Fortigate device is a bit easier to use and intuitive. We had it unpackaged and running our filtering requirements in about 1 day.
One thing to remember with virtual routers is that yes they may work fine and get limited by wan, but if the vm host has many vms then it can cost performance deductions on other virtual machines. So virtual routing is great but a double edge sword at the same time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.