Re: [SLUG] Firewall Device Opinions
On Wed, 2006-07-12 at 19:59 +1000, Christopher Vance wrote: Soekris (US) make the net4801, and PC-Engines (Switzerland) make the WRAP. Both companies make a range of boards. Yawarra distributes both in Aus with a variety of cases available, and sells wireless cards which work well with them. Paul is also a nice guy. :-) ah, thanks for the lead, this might be the answer to some of my Linux prayers! The net4801 looks like what I've been trying to find... -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tuesday 11 July 2006 11:01, Christopher Vance [EMAIL PROTECTED] wrote: On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote: The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. Besides some minor quirks, Linux works well on the Yawarra WRAP and net4801 (which is what I think you mean by soekris, which is just a case style). A good alternative is pfSense [http://www.pfsense.com/], which is FreeBSD-based. At home, I have HyperWRT running on a Linksys WRT-54GS v1.1. It runs like a champ. -- Sridhar Dhanapalan {GnuPG/OpenPGP: http://www.dhanapalan.com/yama.asc 0x049D38B4 : A7A9 8A02 78CB AB1B FCE4 EEC6 2DD9 249B 049D 38B4} Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though. And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade. - Bill Gates at the University of Washington, 1998 pgpyVodbra9DL.pgp Description: PGP signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Wed, Jul 12, 2006 at 05:27:46PM +1000, Sridhar Dhanapalan wrote: Date: Wed, 12 Jul 2006 17:27:46 +1000 From: Sridhar Dhanapalan [EMAIL PROTECTED] Subject: Re: [SLUG] Firewall Device Opinions To: SLUG list slug@slug.org.au On Tuesday 11 July 2006 11:01, Christopher Vance [EMAIL PROTECTED] wrote: On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote: The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. Besides some minor quirks, Linux works well on the Yawarra WRAP and net4801 (which is what I think you mean by soekris, which is just a case style). Soekris (US) make the net4801, and PC-Engines (Switzerland) make the WRAP. Both companies make a range of boards. Yawarra distributes both in Aus with a variety of cases available, and sells wireless cards which work well with them. Paul is also a nice guy. :-) I run OpenBSD quite happily from CF on one of each, including firewalling with ipsec and ipv6. If all you're doing is a firewall, you really don't need much CPU. If you want 4 NICs, I believe Commell (Taiwan?) make some stuff, but I believe it's more expensive. A good alternative is pfSense [http://www.pfsense.com/], which is FreeBSD-based. At home, I have HyperWRT running on a Linksys WRT-54GS v1.1. It runs like a champ. -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Wednesday 12 July 2006 19:59, Christopher Vance [EMAIL PROTECTED] wrote: On Wed, Jul 12, 2006 at 05:27:46PM +1000, Sridhar Dhanapalan wrote: Date: Wed, 12 Jul 2006 17:27:46 +1000 From: Sridhar Dhanapalan [EMAIL PROTECTED] Subject: Re: [SLUG] Firewall Device Opinions To: SLUG list slug@slug.org.au On Tuesday 11 July 2006 11:01, Christopher Vance [EMAIL PROTECTED] wrote: The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. Besides some minor quirks, Linux works well on the Yawarra WRAP and net4801 (which is what I think you mean by soekris, which is just a case style). Soekris (US) make the net4801, and PC-Engines (Switzerland) make the WRAP. Both companies make a range of boards. I stand corrected. They list Soekris green as a case style/colour, so I took it at face value. -- Sridhar Dhanapalan {GnuPG/OpenPGP: http://www.dhanapalan.com/yama.asc 0x049D38B4 : A7A9 8A02 78CB AB1B FCE4 EEC6 2DD9 249B 049D 38B4} Using a GUI amounts to hiding the true system modifications from the system administrators and operators. UNIX operators like the sense of control that comes from their ability to modify system tables and configuration files more directly. - Microsoft, 'Converting a UNIX .COM Site to Windows', 2000-22-08 pgp2mXajE9ZDB.pgp Description: PGP signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tue, Jul 11, 2006 at 09:21:36 +0800, [EMAIL PROTECTED] wrote: A lot of work. Not really. Modifying the case to allow for the extra NIC took the most time, the rest was just Linux installation configuration which is quick easy. Satisfying. Yes. About 200M last time I counted, although I used a 30M version in my 285MB, but I'm sure I could reduce that if I really cared :-) Cheers, John -- I wonder why, when I just did kind of normal things-- some good engineering and just what I wanted to do in life-- why everywhere I go, some people think that I'm some kind of hero or a special person. -- Steve Wozniak -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Firewall Device Opinions
Hi I'm after opinions on the following two options in terms of a straight firewall. Since I have never used OpenWRT devices before I don't have any idea how they rate against a full pc running as a firewall. The options are: 1. OpenWRT on a Linksys device 2. Small form factor pc with some sort of solid state memory running linux. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently investigating/googling whether an OpentWRT device can do this) in the future. Otherwise fairly straight forward. This is for a business environment. Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Mon, Jul 10, 2006 at 05:45:51 +1000, Phil Scarratt wrote: 2. Small form factor pc with some sort of solid state memory running linux. I'm doing this at home. I'm running a cut-down ubuntu dapper installation, initially installed as a breezy server then any packages I didn't need removed, followed by a dist-upgrade to dapper when it was released. It has about 200 packages and uses less than 300MB of flash. The h/w is one of those VIA PCs that Vini Engel was selling a month or two ago. I've added a PCI NIC (an SMC card which was small enough to fit in the case) and a PCMCIA NIC to give me LAN, WAN and DMZ. It took some work to install the PCI NIC -- there were no holes in the back of the case for it and the power connector was a bit too close to the PCI slot, but it wasn't hard, just fiddly. It runs off a 512MB CF card via a CF-IDE adapter, because although the board has a CF slot the BIOS can't boot from it. Apparently there is a BIOS upgrade available but I couldn't find it easily, and the CF-IDE adapter wasn't expensive enough for me to care. The box has a fan, but it's very quiet. I could probably disconnect it without anything overheating, but the noise is insignificant -- there are other much more noisy things in the room :-) I did make a few changes to reduce the number of writes to the CF card to extend its life: - mount / noatime - use tmpfs for /tmp (with a max size limit so it can't take all the RAM) - no swap - syslog to a LAN host and stop syslog being restarted each day if there are no local log files (causes a write to /dev) - change ntp.conf so that the drift file is in /tmp and copy it to /var once a week if it's changed (and on boot/shutdown). I think that was all. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently I don't know whether any of the VIA motherboards have more than one PCI slot. If not, you'd need to use a case with enough room for a larger PCI card with more than one network port, or use a USB ethernet adaptor. Cheers, John -- Nothing is perfect. Not even Windows sucks perfectly. -- Jay Maynard -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Mon, 2006-07-10 at 17:45 +1000, Phil Scarratt wrote: 2. Small form factor pc with some sort of solid state memory running linux. The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. Another issue seems to be that they are sold as whole units, you can't replace many parts or even the MoBo without returning the whole unit. -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
Phil Scarratt wrote: Hi I'm after opinions on the following two options in terms of a straight firewall. Since I have never used OpenWRT devices before I don't have any idea how they rate against a full pc running as a firewall. The options are: 1. OpenWRT on a Linksys device 2. Small form factor pc with some sort of solid state memory running linux. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently investigating/googling whether an OpentWRT device can do this) in the future. Otherwise fairly straight forward. This is for a business environment. The DMZ might be a problem for the WRT54GL since they only have three routable interfaces (wireless, Internet and LAN). I don't think that the four 100Base-TX ports are independently routable. You could certainly work around that -- such as having a DMZ tunnel. My testing has the WRT54GL running out of grunt at around 45Mbps of large packet traffic. So I wouldn't use it as a firewall for anything more than a ADSL link otherwise denying service is just a matter of sending a lot of back-to-back small packets. I'm very impressed by the OpenWRT software -- the packaging is really well thought out and it is a joy to use. We use it for a access points, since we want them to run IPv6, which isn't supported by the manufcturer's firmware. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
quote who=Phil Scarratt I'm after opinions on the following two options in terms of a straight firewall. Since I have never used OpenWRT devices before I don't have any idea how they rate against a full pc running as a firewall. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently investigating/googling whether an OpentWRT device can do this) in the future. Otherwise fairly straight forward. This is for a business environment. So, OpenWRT is rad if you want a fairly complete Debian-style environment on your router, but if you would prefer to have a replacement for the normal firmware that has way more features and a much groovier web admin console, try dd-wrt. It handles DMZ, setting up the ports differently, etc. - Jeff -- linux.conf.au 2007: Sydney, Australia http://lca2007.linux.org.au/ It's the most fun I've had without the use of a water-based lubricant. - Stephen Fry on directing his first film -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote: The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tuesday 11 July 2006 01:29, [EMAIL PROTECTED] wrote: 2. Small form factor pc with some sort of solid state memory running linux. I'm doing this at home. I'm running a cut-down ubuntu dapper installation, initially installed as a breezy server then any packages I didn't need removed, followed by a dist-upgrade to dapper when it was released. It has about 200 packages and uses less than 300MB of flash. The h/w is one of those VIA PCs that Vini Engel was selling a month or two ago. I've added a PCI NIC (an SMC card which was small enough to fit in the case) and a PCMCIA NIC to give me LAN, WAN and DMZ. It took some work to install the PCI NIC -- there were no holes in the back of the case for it and the power connector was a bit too close to the PCI slot, but it wasn't hard, just fiddly. It runs off a 512MB CF card via a CF-IDE adapter, because although the board has a CF slot the BIOS can't boot from it. Apparently there is a BIOS upgrade available but I couldn't find it easily, and the CF-IDE adapter wasn't expensive enough for me to care. The box has a fan, but it's very quiet. I could probably disconnect it without anything overheating, but the noise is insignificant -- there are other much more noisy things in the room :-) I did make a few changes to reduce the number of writes to the CF card to extend its life: - mount / noatime - use tmpfs for /tmp (with a max size limit so it can't take all the RAM) - no swap - syslog to a LAN host and stop syslog being restarted each day if there are no local log files (causes a write to /dev) - change ntp.conf so that the drift file is in /tmp and copy it to /var once a week if it's changed (and on boot/shutdown). I think that was all. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently I don't know whether any of the VIA motherboards have more than one PCI slot. If not, you'd need to use a case with enough room for a larger PCI card with more than one network port, or use a USB ethernet adaptor. A lot of work. Satifying. http://www.ltsp.org does it more elegantly: main FS is RO /tmp is RAM writable stuff sym-linked to /tmp eg logs, dynamic xorg.conf etc About 200M last time I counted, although I used a 30M version in my olive-pickers (5s boot, wireless) http://tigger.ws/vtigger/main.php?g2_itemId=3985 (I don't use X here) James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
Christopher Vance wrote: On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote: The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. VIA also make a motherboard with 2 NIC's and a PCI slot. ELX sell boxes with these in them I believe. Thanks for the comments. The general consensus (and from my searching) seems to be there is not much difference between the embedded type and the full pc type as long as the embedded type chosen has a processor capable of maintaining a high enough throughput of packets for the chosen application. Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html