Linux/Open Source Firewall Comparisons 3

[kjv1611]

Can anyone offer any thoughts on what might be the best/worst, pros/cons between the different options listed here:

IPCop

MonoWall

SME Server as a Firewall

Ubuntu Server as a Firewall

Some other Linux Distro as a firewall?

Another not listed here?

Thanks for any thoughts at all.

 

[w1nn3r]

What is this firewall going to be protecting? your LAN? Servers? A workstation? Is it going to be strictly a firewall or is it going to be a router AND firewall? I prefer FreeBSD so I would personally suggest m0n0wall but without knowing more specifics I doubt it would be hard to answer your question.

 

[Noway2]

w1nn3r is right. In order answer this question effectively, more information is needed.

You mentioned Ubunutu server and I will comment on that one. The word from the Ubuntu security gurus is that as long as you are running Apparmour a secondary firewall doesn't get you much additional protection. Keep in mind that one big difference between (at least most) Linux distributions and other OS programs is that the unused ports are by default closed. This buys you A LOT of protection right there.

Since the ports are closed by default so inbound traffic will be dropped unless you specifically have an application looking for it. Apparmour will monitor these programs that are connected and ensure that they can only access their respective areas. For example, it will keep Apache, which runs under the default user

http://www-data,

from being able to access to the Bind9 configuration files.

 

[ady2012]

You can consider "fwbuilder".Read more detail from website.
Desktop firewall "Firestarter

 

[kjv1611]

I'll try to give a little more info. The reason I made my question kind of short is that I can get long winded if I'm not careful. I think that comes from writing so many HORRIFICALLY long papers (as required) in college - some time ago.

Here are the specifics:

Home Network - I do some side computer work at home, but generally it's just a home network.

There are at least 2 wireless laptops, 1 wireless desktop, 1 wireless game console, at least 3 wired desktops, all connected. However, at least of late, I rarely have even 1/3 of that running at the same time. Of course I have also had as many as 3 or 4 other computers temporarily on the network.

My plan is this (so far):
The firewall would basically just be a firewall. The routing/switching would then be handled by my router and gigabit ethernet switch. So, my plan is (has been so far at least) to go:
Modem -> Linux/FreeBSD Firewall -> Router -> Wireless Clients or Wired clients (some via Gigabit Switch)

The wireless, I think, has been having a lot more interference of late, which has got me re-looking at everything anyway. I did initially think that the router itself may be having issues, but after a little more looking/testing, it seems the router is fine, it's solely wireless interference. Regardless, I still want to look at the firewall idea, even if it's just for tinkering and learning. Regardless, if I go with it all the time, seems it would be more secure than any out of the box solution, well home-level solution at least.

Someone in another thread a while back got me thinking about this again. I stated that most people wouldn't want a full PC running for a firewall, when a router would use so much less electricity. But that thought has been in the back of my mind the whole time, just festering!

I'd be more than happy to try any of these as a firewall. I could get one up and running one weekend, depending upon family/side/personal things of course.

Thanks again for any suggestions... as to the firewall choice, as well as to any suggestions on the connection path I'm thinking about.

 

[Noway2]

You could use a PC (linux) as a firewall, router, dhcp, etc.

 

[kjv1611]

The only thing that leaves me wondering, and perhaps I just don't totally understand it...

If I use the PC as the router, then can I still run one Ethernet wire from it to a router for splitting off the signals, or do I need multiple ethernet cards installed in the PC to do that?

 

[flyboytim]

I have used Smoothwall,

http://www.smoothwall.org

in the past, on an old pc to act as firewall then distributed to various other devices - wireless hub, wired pcs etc. It is a Linux kernel based firewall, and fairly simple to set up, recognising most popular ethernet cards. I used versions 1 and 2, but now version 3 (Smoothwall Express)is available. I think it is similar to Monowall in functionality.

You require at least 2 ethernet NICs on the Smoothwall, one to connect to your internet (i.e. modem), and another for your LAN. Additional NICs can be set up as DMZ, for instance, if you wish to run a web server.

I now just use a D-link wireless router with its own firewall, it uses a lot less electrical power, takes up less space, and is silent.

 

[Noway2]

I agree that you would need to NIC cards. You will want one to be on your public interface and the other to be on a private LAN segment. If you have to make a monetary investment, a 10/100 NIC card is pretty inexpensive. You may be able to make an alias interface, e.g. eth0:1, but I am not certain if there would be a significant performance penalty or not as everything would be going into and out of the same NIC card.

 

[kjv1611]

Oh, I've got plenty of 10/100 cards laying around, and I have at least 1 or 2 1/100/1000 cards. But I suppose that since my connection has been updated to 16 Megabits download, 2 Megabits upload, I still won't max out a 10/100 card anyway. So I can just use the 10/100 cards no problem.

flyboytim,

You mentioned electricity. How much of a difference was it? I wonder if shutting everything down at night, and only starting it back up in the morning would make the difference better. 99% of the time I don't have anything running when I go to bed anyway... sometimes, but it's rare. I especially try not to leave any computers running in the summertime! Big reason is it's usually pretty warm to hot in the summer here in SC, and my "computer room" is our Florida room/sun room, so I'm running a portable A/C unit out there whenever it's in use.... in the summer.

 

[flyboytim]

kjv1611, I was assuming that the PC power supply rated at a few hundred watts, two fans running, a pentium II processor, hard drive and a pair of NICs, plus a wireless hub, which kept an otherwise unheated understairs cupboard slightly warm in our British winter, would be using more electricity than a wholly solid state device with a power adapter rated 110-240v 0.2A.

Possibly to the tune of several kWh per day.

 

[kjv1611]

With the electricity piece in mind, are any of the FreeBSD or Linux distros that any of you aware of finicky to reboots of the machine on which they are installed?

If not, then the electricity usage may not be as big of a deal, b/c if I shut it all off most of the them when not being used, that would save some of the electricity off the bat.

 

[flyboytim]

Smoothwall was very resilient - never had a problem rebooting, even when the shutdown was by pulling the plug or any other power outage. No equivalent of chkdsk, just a normal reboot.

Otherwise reboots and shutdowns (and all other management tasks) can be handled remotely by the web-based management console.

Still, why not ask the experts:

http://community.smoothwall.org/forum/

http://forum.m0n0.ch/

 

[flyboytim]

One more thought, on the wireless interference front - whatever firewall you end up with, any wirelessly connected computer is going to have some trouble unless you sort it out. Of course, wired connections should give you better bandwidth.

In order to check out your competing wireless networks, the output and range of your router, have you tried inSSIDer?

http://www.metageek.net/products/inssider

You might find that a different channel and a relocation of wireless devices will cure the problem.

 

[kjv1611]

Yeah, I've tried changing the wireless channel, and that didn't make a difference.

Location could always be an issue, and a major one I know - I've just not wanted to mess with it too much, honestly. Before the issues, I had the router at one spot... moved it maybe 1.5 feet lower, and started getting the interference. Then, b/c of that, I moved it back up and a little higher... so about 1.5 feet above where I had it before.. on my wall.. And the interference is no longer as bad, but it's still worse than before. Perhaps I had the sweet spot before, and just didn't think about it.

Regardless, for the wireless front, I've got 2 wireless N adapters coming in the mail to install in our laptops, to replace the wireless G adapters. Once I do that, we'll see if that alone fixes the interference issue. They're both the Intel version that supports up to 450MBps IF you have a router that can put out that much... which isn't really available yet. Regardless, should give more options.

Thanks for that link, though. I don't think I've ever seen that one, looks pretty resourceful.

Glad I mentioned the wireless issues. I actually wasn't really posting here to get help on those, but I thought I'd give the full scope of why I even went down this line of thought - again.

I suppose I'll try to get the wireless issue sorted out totally first, and then worry about the firewall... maybe... when it comes to things like this at home, I never know for sure what I'm going to mess with until I just go and do it. I suppose that's why my wife gets frustrated sometimes...

She's said at least a few times, something to the extent of: "Why do you always have to change things? Things will be working just fine, and you go and change them."

Yeah, she's happy with my tinkering. Thankfully, I don't have much time to do too much damage.

 

[3t0n1c]

Almost all Linux distros can and are usint iptables to firewalling, etc.

iptables, is very powerful and robust.

We run an ISP, and web hosting company and all of our routers and firewalls use iptables.
I can almost say we are one of the few that actually CAN strive without Cisco.

If you need help, let me know, I could help you setup an iptables config file.

Good luck.

 

[kjv1611]

Thanks, I'll keep that in mind. I've got my hands so full of several different things right now that it'll likely be a while yet before I can even consider tinkering anyway. We'll see.