Re: [CentOS] Theoretical Firewall Specs?

2012-01-18 Thread kalinix 
On Wed, 2012-01-18 at 05:44 -0700, Craig White wrote:

> On Tue, 2012-01-17 at 20:51 -0800, John R Pierce wrote:
> > On 01/17/12 6:38 PM, Craig White wrote:
> > > On Tue, 2012-01-17 at 20:24 -0500, Ryan Wagoner wrote:
> > >
> > >> >  http://en.wikipedia.org/wiki/AES_instruction_set
> > >> >  
> > > 
> > > something to keep in mind... wikipedia will be dark Wednesday, Jan 18th
> > > on account of their joining the stop SOPA protest.
> > >
> > > http://sopastrike.com/
> > >
> > > for the next 32 hours, linky goodness might be less than goodness.
> > 
> > rumor has it, the mobile wiki stays up..
> > 
> > http://en.m.wikipedia.org/ 
> 
> appears to be the case (mobile functions, normal web doesn't).
> 
> By the way, a trip to the regular Wikipedia site is useful in that it
> provides an easy path for those in the US to contact their elected
> representatives.
> 
> Craig
> 
> 


You can still access wiki articles: the pages load normally, only there
is a script at the end that redirect them to 'dark page'. Reloading the
page then stopping the load (stop, esc) before running the script let me
read the article I was looking for.


HTH,
-- 


Calin

Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857

=
because of network lag due to too many people playing deathmatch
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Theoretical Firewall Specs?

2012-01-18 Thread Craig White 
On Tue, 2012-01-17 at 20:51 -0800, John R Pierce wrote:
> On 01/17/12 6:38 PM, Craig White wrote:
> > On Tue, 2012-01-17 at 20:24 -0500, Ryan Wagoner wrote:
> >
> >> >  http://en.wikipedia.org/wiki/AES_instruction_set
> >> >  
> > 
> > something to keep in mind... wikipedia will be dark Wednesday, Jan 18th
> > on account of their joining the stop SOPA protest.
> >
> > http://sopastrike.com/
> >
> > for the next 32 hours, linky goodness might be less than goodness.
> 
> rumor has it, the mobile wiki stays up..
> 
> http://en.m.wikipedia.org/ 

appears to be the case (mobile functions, normal web doesn't).

By the way, a trip to the regular Wikipedia site is useful in that it
provides an easy path for those in the US to contact their elected
representatives.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Theoretical Firewall Specs?

2012-01-18 Thread Benjamin Hackl 
Dear Jason,

On Tue, 17 Jan 2012 15:36:09 -0800
"Jason T. Slack-Moehrle"  wrote:

> How does one determine the specs for a firewall?

Depends on your requirements. If you just want some port
filtering/forwarding it can be done by low power Atom machines or
even some old hardware (Pentium 2 possibly even older). ARM, MIPS
are also fine but check if your software/OS runs on that very special
architecture. If it is a mission critical firewall I'd recommend buying
new hardware instead of reusing your ten year old Pentium 3. If
you need new memory it's often cheaper to buy 8 GB of RAM instead of 1,
2 or 4GB nowadays.

Don't skimp on network adapters! 10$ adapters are usually not built
for 24/7 usage.

If you want to do deep packet inspection, (i.e. antispam, antivirus,
etc.) you should invest in decent (!) hardware.

If you'd like to access your firewall remotely you should consider a
remote management card like ILO, DRAC.

UPS, diesel motor, failover cluster, how much money do you have? ;-)

Brgds


-- 
Freundliche Gruesse/Best Regards
Benjamin Hackl
IT/Administration

Media FOCUS Research Ges.m.b.H.
Maculangasse 8, 1220 Wien Austria
Tel: +43 1 258 97 01-295
b.ha...@focusmr.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Theoretical Firewall Specs?

2012-01-18 Thread Giles Coochey 
On Wed, January 18, 2012 00:52, John R Pierce wrote:
>
> I'd expect with a firewall-centric OS distribution like pfSense, a dual
> core 2-3Ghz I3 could easily keep up with gigE and quite complex rule
> sets, several network zones.  No storage requirements at all, unless you
> plan on keeping your logging local on the firewall.   to maintain gigE
> throughput you'll want to use server grade NICs and not cheap desktop
> ones.  If you're using a lot of VPN encryption, more and/or faster CPU
> cores would be useful.  a few 100MB of ram is plenty for 100s of 1000s
> of concurrent connections, so unless you're doing other ram intensive
> stuff like Snort or NetTop, 1GB ram would be plenty.
>
pfsense will generally run just fine without any swapping with 160Mb of
memory. I'd recommend no more than 256Mb.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Theoretical Firewall Specs?

2012-01-17 Thread John R Pierce 
On 01/17/12 6:38 PM, Craig White wrote:
> On Tue, 2012-01-17 at 20:24 -0500, Ryan Wagoner wrote:
>
>> >  http://en.wikipedia.org/wiki/AES_instruction_set
>> >  
> 
> something to keep in mind... wikipedia will be dark Wednesday, Jan 18th
> on account of their joining the stop SOPA protest.
>
> http://sopastrike.com/
>
> for the next 32 hours, linky goodness might be less than goodness.

rumor has it, the mobile wiki stays up..

http://en.m.wikipedia.org/ 



-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Theoretical Firewall Specs?

2012-01-17 Thread Craig White 
On Tue, 2012-01-17 at 20:24 -0500, Ryan Wagoner wrote:

> http://en.wikipedia.org/wiki/AES_instruction_set
> 

something to keep in mind... wikipedia will be dark Wednesday, Jan 18th
on account of their joining the stop SOPA protest.

http://sopastrike.com/

for the next 32 hours, linky goodness might be less than goodness.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Theoretical Firewall Specs?

2012-01-17 Thread Ryan Wagoner 
On Tue, Jan 17, 2012 at 6:52 PM, John R Pierce  wrote:

> a pure firewall at gigE speeds really doesn't need that much ram and
> only a fair-to-middling processor.  more than 2 cores would likely be
> wasted.   Its when you start layering other server functionality on top
> of the firewall system is when you need more hardware.
>
> I'd expect with a firewall-centric OS distribution like pfSense, a dual
> core 2-3Ghz I3 could easily keep up with gigE and quite complex rule
> sets, several network zones.  No storage requirements at all, unless you
> plan on keeping your logging local on the firewall.   to maintain gigE
> throughput you'll want to use server grade NICs and not cheap desktop
> ones.  If you're using a lot of VPN encryption, more and/or faster CPU
> cores would be useful.  a few 100MB of ram is plenty for 100s of 1000s
> of concurrent connections, so unless you're doing other ram intensive
> stuff like Snort or NetTop, 1GB ram would be plenty.
>

pfSense and Vyatta are both excellent platforms to build a firewall on.
Vyatta has a command line interface and IPv6 support. pfSense has a web
interface with good rrd graphs. Give them both a try and see what works
best. There is always the Cisco ASA 5510 if you can deal with the price
tag. I've hit a bug once or twice in Vyatta where a config change didn't
work until I rebooted. I haven't had that happen with Cisco.

I have been using Vyatta with a Supermicro Atom D525 motherboard, dual port
Intel gigabit nic, 2GB of memory, and 4GB Transcend SSD. If you go with the
Supermicro front I/O case the bottom holes of a 40mm fan will line up with
the vent in the back of the case. I know these are rated to run without a
fan, but even a low airflow fan will drop the CPU 20-30F. You can build one
of these for around $550 and the power usage comes in at 21 watts.

If you need encryption the Core i5 and higher have the AES instruction set.
The list of supporting software is on the wiki below. Openssl is on the
list with patches, not sure if an official build with these has been
released.

http://en.wikipedia.org/wiki/AES_instruction_set

Ryan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Theoretical Firewall Specs?

2012-01-17 Thread John R Pierce 
On 01/17/12 3:36 PM, Jason T. Slack-Moehrle wrote:
> So, the more I look at various ways to lay out my infrastructure, the more I 
> am thinking about specs for hardware.
>
> Starting with firewalling.
>
> How does one determine the specs for a firewall?
>
> What I mean is:
>
> 1. motherboard/CPU - p4? Dual-Core? Intel i3, i5, i7?
>
> 2. RAM? 4gb? 8gb? More? 32gb?
>
> 3. Obviously GB Nics!
>
> I am bring about 300gb of traffic a month right now and I expect that to 
> increase significantly with my next offerings.
>
> Obviously one answer is to but a beefy motherboard that supports lots of RAM 
> and add more as needed, but where does one start out?
>
> How do I know if my firewall would need more RAM?
>
> How do I know if the CPU is good enough?

a pure firewall at gigE speeds really doesn't need that much ram and 
only a fair-to-middling processor.  more than 2 cores would likely be 
wasted.   Its when you start layering other server functionality on top 
of the firewall system is when you need more hardware.

I'd expect with a firewall-centric OS distribution like pfSense, a dual 
core 2-3Ghz I3 could easily keep up with gigE and quite complex rule 
sets, several network zones.  No storage requirements at all, unless you 
plan on keeping your logging local on the firewall.   to maintain gigE 
throughput you'll want to use server grade NICs and not cheap desktop 
ones.  If you're using a lot of VPN encryption, more and/or faster CPU 
cores would be useful.  a few 100MB of ram is plenty for 100s of 1000s 
of concurrent connections, so unless you're doing other ram intensive 
stuff like Snort or NetTop, 1GB ram would be plenty.



-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Theoretical Firewall Specs?

2012-01-17 Thread Jason T. Slack-Moehrle 
So, the more I look at various ways to lay out my infrastructure, the more I am 
thinking about specs for hardware.

Starting with firewalling.

How does one determine the specs for a firewall? 

What I mean is:

1. motherboard/CPU - p4? Dual-Core? Intel i3, i5, i7?

2. RAM? 4gb? 8gb? More? 32gb?

3. Obviously GB Nics!

I am bring about 300gb of traffic a month right now and I expect that to 
increase significantly with my next offerings. 

Obviously one answer is to but a beefy motherboard that supports lots of RAM 
and add more as needed, but where does one start out? 

How do I know if my firewall would need more RAM?

How do I know if the CPU is good enough?

I still go back to my Cisco PIX days where these devices were amazing on just 
256MB of RAM. We piloted a large chunk of Cornell University's Lab Of 
Ornithology on 2 of these, but now-a-days it seems that a PIX would not be good 
enough. Is it because the nature of the internet and data and attacks has 
changed over time? more aggressive?

-Jason


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos