Paul, you are a man I can both relate to and admire...unfortunately,
this client wants to be a numb-butt and he relates $$$$ = quality. It
took me years to prove that a Linux box for a file server was better
than buying seats on Windows Server 2008...and he still chaffs at the idea.
But, yes, I've used many of the now-defunct Linux firewall packages,
like Coyote and it's derivatives...loved 'em and found them to be rock
solid. This client, unfortunately, likes to give tours of his phone
closet and drop comments like "...and we spent $5000 on this one little
box...<smile>"
<groan>
Mike
-------- Original Message --------
Subject: Re: (NF) Firewall appliance
From: Paul McNett <[email protected]>
To: [email protected]
Date: 5/8/2013 4:44 PM
On 5/8/13 12:10 PM, Mike Copeland wrote:
Anyone have any experience, advice, for perimeter firewalls on a corporate
network?
I'm looking at the Cisco and the Fortinet devices. I don't need VPN or
spam/virus
filtering, just high volume throughput and stability.
Currently using a Cisco (IOS) that, after a year or so of life, is hanging up
randomly every 40 or 50 hours.
Thanks for any feedback.
I build linux firewalls from low-end Dell PowerEdge servers. It's like $700
plus 2-4
hours of my time. You get a very configurable firewall with high
reliability/stability/security and volume throughput that I've never noticed to
be
less than acceptable.
The basic recipe is:
Current Ubuntu LTS Server release (12.04 currently)
apt-get install shorewall
drop in and modify boilerplate interfaces, zones, policies, rules, masq
I usually put a OpenVPN endpoint for me to connect through
Failing OpenVPN, I'll open port 22 for SSH
change /etc/default/shorewall to startup=1
service shorewall start
Every week, either automatically or manually, do a "apt-get update; apt-get
dist-upgrade" or apt-get install unattended-updates and configure to get the
security
updates.
I like using general Linux boxes for specific things like this because they can
also
pull double-duty as local caching dns servers, dhcp servers, web proxies, etc.
Also,
I get all the maintenance fees instead of some third-party vendor. :)
I started building my own firewalls after getting fed up with every supposedly
enterprise-grade firewall I tried at the time (2002 or so; I'm sure there are
some
superior commercial offerings today).
Paul
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
