CentOS - Dec 2007 - Firewall frustration

Well FWbuilder is NOT easy.  The documentation does not match the 
current GUI.  Now the box is locked up.  I will have to pull it again, 
hook it up to a kybd/VGA and reset iptables....

Maybe Shoreline with webmin....

Problem is I want a REAL router/firewall with little work.  Both public 
and private nets have routable addresses.  No NATing for me!  I just 
help write the RFC ;)  And all the templates for fwbuilder want you to 
be using NATing.

Perhaps I should just set up another Astaro firewall.  I have been using 
Astaro since v3, so I am comfortable with it....

On Mon, 31 Dec 2007 00:13:22 -0500
Robert Moskowitz <rgm at htt-consult.com> wrote:
> Well FWbuilder is NOT easy.  The documentation does not match
Take a look at FireStarter: http://www.fs-security.com/

It very easy to set and use. It's only a front-end for iptables.
But watch out, it has it's limitations in the scenarios that it
can handle. 

On the other hand, you can use it to generate the iptables rules
and then just use it in text mode only.


-- 
Thanks
http://www.911networks.com
When the network has to work

On Dec 31, 2007 12:13 AM, Robert Moskowitz <rgm at htt-consult.com>
wrote:
> Well FWbuilder is NOT easy.  The documentation does not match the
> current GUI.  Now the box is locked up.  I will have to pull it again,
> hook it up to a kybd/VGA and reset iptables....
>
> Maybe Shoreline with webmin....
>
> Problem is I want a REAL router/firewall with little work.  Both public
> and private nets have routable addresses.  No NATing for me!  I just
> help write the RFC ;)  And all the templates for fwbuilder want you to
> be using NATing.
>
> Perhaps I should just set up another Astaro firewall.  I have been using
> Astaro since v3, so I am comfortable with it....
>
If you've ever used a Checkpoint firewall, FWBuilder is exactly like
that interface.  It even comes with a module that will let you modify
Checkpoint firewalls.


-- 
-matt

Matt Shields wrote:
> On Dec 31, 2007 12:13 AM, Robert Moskowitz <rgm at htt-consult.com>
wrote:
>   
>> Well FWbuilder is NOT easy.  The documentation does not match the
>> current GUI.  Now the box is locked up.  I will have to pull it again,
>> hook it up to a kybd/VGA and reset iptables....
>>
>> Maybe Shoreline with webmin....
>>
>> Problem is I want a REAL router/firewall with little work.  Both public
>> and private nets have routable addresses.  No NATing for me!  I just
>> help write the RFC ;)  And all the templates for fwbuilder want you to
>> be using NATing.
>>
>> Perhaps I should just set up another Astaro firewall.  I have been
using
>> Astaro since v3, so I am comfortable with it....
>>
>>     
>
> If you've ever used a Checkpoint firewall, FWBuilder is exactly like
> that interface.  It even comes with a module that will let you modify
> Checkpoint firewalls.
I noticed the later, also a PIX module. No I have not personally needed 
that costly of a firewall.

Full discloser time. My day job is with ICSAlabs. My area is security 
protocols research (like setttin up the initial IPsec certification 
criteria), but when I visit the labs there are all those firewall 
products up and running.... So, yeah, I know checkpoint. I talk with the 
gang over in the labs about 'simple' firewalls, but there are only 
certain things the boss funds here. So then I have to go cheap.

Peter Farrell wrote:
> "Problem is I want a REAL router/firewall with little work."
>
> Run a smoothwall installtion and replace your CentOS install.
>
> http://www.smoothwall.org/
>   
well first challenge is my unit's USB ethernet dongles. Centos uses the 
RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 
8169...

So have to see what info I can get on their website. Astaro 6 cannot 
recognize the dongles either. Shorewall still looks like an option. I do 
have Centos (and DSL) on these units....
> -Peter
>
> On 31/12/2007, Matt Shields <mattboston at gmail.com> wrote:
>   
>> On Dec 31, 2007 12:13 AM, Robert Moskowitz <rgm at
htt-consult.com> wrote:
>>     
>>> Well FWbuilder is NOT easy.  The documentation does not match the
>>> current GUI.  Now the box is locked up.  I will have to pull it
again,
>>> hook it up to a kybd/VGA and reset iptables....
>>>
>>> Maybe Shoreline with webmin....
>>>
>>> Problem is I want a REAL router/firewall with little work.  Both
public
>>> and private nets have routable addresses.  No NATing for me!  I
just
>>> help write the RFC ;)  And all the templates for fwbuilder want you
to
>>> be using NATing.
>>>
>>> Perhaps I should just set up another Astaro firewall.  I have been
using
>>> Astaro since v3, so I am comfortable with it....
>>>
>>>       
>> If you've ever used a Checkpoint firewall, FWBuilder is exactly
like
>> that interface.  It even comes with a module that will let you modify
>> Checkpoint firewalls.
>>
>>
>> --
>> -matt
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>     
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

On Mon, 31 Dec 2007, Robert Moskowitz wrote:
> Well FWbuilder is NOT easy.
I disagree but to each his own.
> The documentation does not match the current GUI.
I have not looked at the docs lately, but Vadam used to be pretty good at
keeping the docs updated. There is also a mailing list you can subscribe to.
As long as you ask intelligent questions you will usually get good answers.
>  Now the box is locked up.  I will have to pull it again, hook it up to 
> a kybd/VGA and reset iptables....
To prevent that in the future set the managment ip address on the firewall
object. That way fwbuilder will always allow ssh access from that machine no
matter how bad you hose the rules.

Keep in mind that any of the firewall managment systems mentioned can/will also
lock you out if misconfigured.
>
> Maybe Shoreline with webmin....
>
> Problem is I want a REAL router/firewall with little work.  Both public and
> private nets have routable addresses.  No NATing for me!  I just help write
> the RFC ;)  And all the templates for fwbuilder want you to be using
NATing.
>
> Perhaps I should just set up another Astaro firewall.  I have been using 
> Astaro since v3, so I am comfortable with it....
Why reinvent the wheel? Use what you are comfortable with. For me that is
fwbuilder but for you that sounds like it is Astaro.

Regards,

-- 
Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Robert Moskowitz
> Sent: Sunday, December 30, 2007 9:13 PM
> To: CentOS mailing list
> Subject: [CentOS] Firewall frustration
> 
> Well FWbuilder is NOT easy.  The documentation does not match 
> the current GUI.  Now the box is locked up.  I will have to 
> pull it again, hook it up to a kybd/VGA and reset iptables....
> 
> Maybe Shoreline with webmin....
> 
> Problem is I want a REAL router/firewall with little work.  
> Both public and private nets have routable addresses.  No 
> NATing for me!  I just help write the RFC ;)  And all the 
> templates for fwbuilder want you to be using NATing.
> 
> Perhaps I should just set up another Astaro firewall.  I have 
> been using Astaro since v3, so I am comfortable with it....
> 


I just turned off my Astaro Gateway, as it pissed me off by continually
throttling my 10M/10M FIOS connection.....:^>
I liked the integration of services in the box, and I likely would have kept
it for that one item.
I'll be looking at an IPCOP/Smoothwall/Monowall replacement.
I have an IPCOP box at work for our public access DSL connection. (Customers
kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..)
Uptime on that box (Compaq P2-733) is around 250 days right now. I had to
move the box, so it would be more like 400....

William L. Maltby wrote:
> On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
>   
>> Peter Farrell wrote:
>>     
>>> "Problem is I want a REAL router/firewall with little
work."
>>>
>>> Run a smoothwall installtion and replace your CentOS install.
>>>
>>> http://www.smoothwall.org/
>>>   
>>>       
>> well first challenge is my unit's USB ethernet dongles. Centos uses
the
>> RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and
>> 8169...
>>     
>
> I've used this at home for years. I don't know if it's
suitable, but it
> seems *very* flexible. Allows for NAT or not, has typical zones,
> reporting, IPTables modification support, ...
>
>    http://www.ipcop.org/
>
> Has run/tested successfully on various configurations here. It's
another
> "ditch your CentOS" solution though. But you can put it on any
old junk
> laying around and it'ss probably work. Using cable modem in the
boonies,
> 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives <= 700MB/sec -
> both from decent sites. Tested using both ISA and PCI bus adapters
> through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I 
realized that one of my goals is to have a tool to turn a Centos system 
that I am using for foo, into a firewall for bar for a day.  I have 
Astaro for my serious firewall needs (see later post), but need 
something 'portable'.  You see I have these plans with some small itx 
systems....

Dennis McLeod wrote:
>> -----Original Message-----
>> From: centos-bounces at centos.org 
>> [mailto:centos-bounces at centos.org] On Behalf Of Robert Moskowitz
>> Sent: Sunday, December 30, 2007 9:13 PM
>> To: CentOS mailing list
>> Subject: [CentOS] Firewall frustration
>>
>> Well FWbuilder is NOT easy.  The documentation does not match 
>> the current GUI.  Now the box is locked up.  I will have to 
>> pull it again, hook it up to a kybd/VGA and reset iptables....
>>
>> Maybe Shoreline with webmin....
>>
>> Problem is I want a REAL router/firewall with little work.  
>> Both public and private nets have routable addresses.  No 
>> NATing for me!  I just help write the RFC ;)  And all the 
>> templates for fwbuilder want you to be using NATing.
>>
>> Perhaps I should just set up another Astaro firewall.  I have 
>> been using Astaro since v3, so I am comfortable with it....
>>
>>     
>
>
>
> I just turned off my Astaro Gateway, as it pissed me off by continually
> throttling my 10M/10M FIOS connection.....:^>
>   
For all that it does, you would need it on a pretty hefty box of 10M. 
But then I have seen LAN-LAN > 10M working here....
> I liked the integration of services in the box, and I likely would have
kept
> it for that one item.
> I'll be looking at an IPCOP/Smoothwall/Monowall replacement.
> I have an IPCOP box at work for our public access DSL connection.
(Customers
> kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..)
> Uptime on that box (Compaq P2-733) is around 250 days right now. I had to
> move the box, so it would be more like 400....
I run Astaro on a Compaq SFF 1Ghz with 512Mb memory. It has a 4-port 
10/100 card as well as the internal ethernet. I use VLANing extensively, 
as I have ~12 LANs connected to the box. I have the public net on one 
port, then all the others are plugged into a HP 2650 48-port switch. I 
can move systems to the subnet I need for whatever testing or production 
I use. I ONLY use the firewall for packet filtering. No SPAM control, 
web proxying, etc....

Robert Spangler wrote:
> On Mon December 31 2007 07:58, Robert Moskowitz wrote:
>
>   
>>  Full discloser time. My day job is with ICSAlabs. My area is security
>>  protocols research (like setttin up the initial IPsec certification
>>  criteria), but when I visit the labs there are all those firewall
>>  products up and running.... So, yeah, I know checkpoint. I talk with
the
>>  gang over in the labs about 'simple' firewalls, but there are
only
>>  certain things the boss funds here. So then I have to go cheap.
>>     
>
> While IPTABLES might be CHEAP (price) it is a very good firewall.
> Learn to set it up from the command line, it isn't that hard.
> Try the following to learn it;
>
> http://iptables.rlworkman.net/chunkyhtml/index.html
>
> Forget those GUI interfaces.
This might be best for my current needs...

thanks

Robert Spangler <mlists at zoominternet.net> wrote:
>>
While IPTABLES might be CHEAP (price) it is a very good firewall.
Learn to set it up from the command line, it isn't that hard.
<<

Amen. I've been using CentOS for firewalls here for a long time now, with
hand-written rules. Besides, generic firewall configuration tools don't -
can't - know about many of the more advanced modules and features of
iptables.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909

Mark Weaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 31 Dec 2007 12:21:34 -0500
> Robert Moskowitz <rgm at htt-consult.com> wrote:
>
>   
>> William L. Maltby wrote:
>>     
>>> On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
>>>   
>>>       
>>>> Peter Farrell wrote:
>>>>     
>>>>         
>>>>> "Problem is I want a REAL router/firewall with little
work."
>>>>>
>>>>> Run a smoothwall installtion and replace your CentOS
install.
>>>>>
>>>>> http://www.smoothwall.org/
>>>>>   
>>>>>       
>>>>>           
>>>> well first challenge is my unit's USB ethernet dongles.
Centos
>>>> uses the RTL 8150 driver for them. Smoothwall only lists the
RTL
>>>> 8129, 8139, and 8169...
>>>>     
>>>>         
>>> I've used this at home for years. I don't know if it's
suitable,
>>> but it seems *very* flexible. Allows for NAT or not, has typical
>>> zones, reporting, IPTables modification support, ...
>>>
>>>    http://www.ipcop.org/
>>>
>>> Has run/tested successfully on various configurations here.
It's
>>> another "ditch your CentOS" solution though. But you can
put it on
>>> any old junk laying around and it'ss probably work. Using cable
>>> modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium
>>> 200MHz pci gives <= 700MB/sec - both from decent sites. Tested
>>> using both ISA and PCI bus adapters through both twisted pair and
>>> thin coax.
>>>       
>> As I thought about things this morning, trying to put up smoothwall,
>> I realized that one of my goals is to have a tool to turn a Centos
>> system that I am using for foo, into a firewall for bar for a day.  I
>> have Astaro for my serious firewall needs (see later post), but need 
>> something 'portable'.  You see I have these plans with some
small itx
>> systems....
>>     
>
> have you considered linux that fits on a floppy disk?
>
> http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
>
> http://www.linuxlinks.com/Distributions/Floppy/
>
>
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/
>
> get one running and configured and save to floppy... things go south
> reboot the machine and everything is back. no hard drives to worry
> about...
>   
Have you ever thought about how rare floppy drives are now?  At best you 
go with a bootable usb, if your notebook supports bootable USB.  My 
Libretto does have a bootable floppy, but that is something extra to 
carry.  It will not boot from anything else (besides its HD).  My nc4010 
(this notebook) will boot from usb.  My corp notebook (nc2400) is locked 
down; and I don't see any value at getting corp IT bent out of shape.

Scott Ehrlich wrote:
> On Tue, 1 Jan 2008, Robert Moskowitz wrote:
>
>>
>>
>> Mark Weaver wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On Mon, 31 Dec 2007 12:21:34 -0500
>>> Robert Moskowitz <rgm at htt-consult.com> wrote:
>>>
>>>
>>>> William L. Maltby wrote:
>>>>
>>>>> On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
>>>>>
>>>>>> Peter Farrell wrote:
>>>>>>
>>>>>>> "Problem is I want a REAL router/firewall with
little work."
>>>>>>>
>>>>>>> Run a smoothwall installtion and replace your
CentOS install.
>>>>>>>
>>>>>>> http://www.smoothwall.org/
>>>>>>>
>>>>>> well first challenge is my unit's USB ethernet
dongles. Centos
>>>>>> uses the RTL 8150 driver for them. Smoothwall only
lists the RTL
>>>>>> 8129, 8139, and 8169...
>>>>>>
>>>>> I've used this at home for years. I don't know if
it's suitable,
>>>>> but it seems *very* flexible. Allows for NAT or not, has
typical
>>>>> zones, reporting, IPTables modification support, ...
>>>>>
>>>>> http://www.ipcop.org/
>>>>>
>>>>> Has run/tested successfully on various configurations here.
It's
>>>>> another "ditch your CentOS" solution though. But
you can put it on
>>>>> any old junk laying around and it'ss probably work.
Using cable
>>>>> modem in the boonies, 486DX/66 gives about 450KB/sec,
Pentium
>>>>> 200MHz pci gives <= 700MB/sec - both from decent sites.
Tested
>>>>> using both ISA and PCI bus adapters through both twisted
pair and
>>>>> thin coax.
>>>>>
>>>> As I thought about things this morning, trying to put up
smoothwall,
>>>> I realized that one of my goals is to have a tool to turn a
Centos
>>>> system that I am using for foo, into a firewall for bar for a
day. I
>>>> have Astaro for my serious firewall needs (see later post), but
>>>> need something 'portable'. You see I have these plans
with some
>>>> small itx systems....
>>>>
>>>
>>> have you considered linux that fits on a floppy disk?
>>>
>>> http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
>>>
>>> http://www.linuxlinks.com/Distributions/Floppy/
>>>
>>>
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/
>>>
>>>
>>> get one running and configured and save to floppy... things go
south
>>> reboot the machine and everything is back. no hard drives to worry
>>> about...
>>>
>> Have you ever thought about how rare floppy drives are now? At best 
>> you go with a bootable usb, if your notebook supports bootable USB. 
>> My Libretto does have a bootable floppy, but that is something extra 
>> to carry. It will not boot from anything else (besides its HD). My 
>> nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) 
>> is locked down; and I don't see any value at getting corp IT bent
out
>> of shape.
>>
>
> Yes, floppy drives are rare - but they are still incredibly valuable. 
> I've dealt with needing to install drivers from floppy for OSes, and 
> the OSse are looking to floppy.
>
> I've needed DOS' fdisk to get me out of problems at times, and
having
> a bootable copy of DOS on-hand has done the job.
>
> Some BIOS updates are only available from a bootable floppy (won't 
> install to anything else).
>
> Saves times and frusteration in having a reusable floppy around than 
> having to sometimes create a bootable CD to put the files on. Reuse 
> the floppy as often as needed.
I have a USB floppy that came with my Toshiba 3490. It is a very 
valuable part of my 'tool box'.
> Old hardware still exists and is usable, and sometimes only work, or 
> work best, with floppies.
>
> Sometimes "old school" is still "good school".
Talk to me about 'old school'. I sat at my first Teletype in '66 as
a
Junior in High School, learning Dartmouth Basic...

But I am looking at what I can easily travel with, and a floppy is NOT 
part of a traveling collection. Enough gear to upset TSA as it
is.
>
> We still often use "VT100" or "3270" emulation for
remote
> connectivity... Think about their origins.
Check out who chaired the TN3270E workgroup ;) Want to discuss LU2 
management layer?

Not really, some things are best left in the dust heap. Along with those 
55 Baud Teletypes!

Mark Weaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 1 Jan 2008 08:57:22 -0500
> Robert Moskowitz <rgm at htt-consult.com> wrote:
>   
>> Have you ever thought about how rare floppy drives are now?  At best
>> you go with a bootable usb, if your notebook supports bootable USB.
>> My Libretto does have a bootable floppy, but that is something extra
>> to carry.  It will not boot from anything else (besides its HD).  My
>> nc4010 (this notebook) will boot from usb.  My corp notebook (nc2400)
>> is locked down; and I don't see any value at getting corp IT bent
out
>> of shape.
>>     
>
> why would you even think about using a Notebook computer as a firewall?
> I was assuming you were going to delegate this task to an older machine
> with sufficient resources to handle the task and not give the task to a
> notebook computer.
Of course in my lab, the firewall is a 'older' machine.  But I want to 
learn from this so that when I am at a conference or trade show and need 
a firewall 'fast', I can put up the services on one of my Centos
notebooks.

BTW, WRT 'older' machines.  I am looking more at the cost of running 
these machines (power draw).  It is not just a matter of the $0.124/KWH 
that I pay, but the cost to add another circuit (my NOC shares two 
circuits that were already runnning at 50% utilizatoin), and the cost of 
cooling in the summer (we added a tap into the cold air return system by 
the rack fans to capture the computer heat for the winter).

I just got the firewall running (see later note) on a decTOP micro PC 
that I pulled the 10Gb 3.5" drive and installed a 2.5" 6Gb drive.  The
system pulls about 10W!  Compared to ~100W for some of my Compaq SFFs.  
Let's see 90W/day = 2.16KWH = ~$0.27/day = ~$97.76/year.  That can pay 
for replacing another old Compaq with another decTOP (well not really as 
you have to add memory,  switch out drives, and add a second USB 
ethernet dongle; guess the ROI is around 2 years).

Ugo Bellavance wrote:
> Mark Weaver wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Tue, 1 Jan 2008 08:57:22 -0500
>> Robert Moskowitz <rgm at htt-consult.com> wrote:
>>> Have you ever thought about how rare floppy drives are now? At best
>>> you go with a bootable usb, if your notebook supports bootable USB.
>>> My Libretto does have a bootable floppy, but that is something
extra
>>> to carry. It will not boot from anything else (besides its HD). My
>>> nc4010 (this notebook) will boot from usb. My corp notebook
(nc2400)
>>> is locked down; and I don't see any value at getting corp IT
bent out
>>> of shape.
>>
>> why would you even think about using a Notebook computer as a firewall?
>> I was assuming you were going to delegate this task to an older machine
>> with sufficient resources to handle the task and not give the task to a
>> notebook computer.
>
> I guess he wants it to be portable.
>
> He seems to be knowing his requirements a lot better than we do. It 
> looks like he wants an easy firewall that would boot for HD only, cost 
> nothing, and runs with usb ethernet devices.
>
> I really think he should carry an embedded firewall (like a soekris or 
> a wrap) with pfsense on it. 
I have enough gear to get through TSA. My next trip will have me 
carrying 3 laptops (granted 2 are 12" and one 7") and one microITX
box.
Plus a bunch of USB gizmos, my Bose 2 headphones, etc. And I do carryon, 
so space is at a premium.


The boxes here in the lab are not portable, but the learning has to be.

Chris Mauritz wrote:
> Ugo Bellavance wrote:
>> Mark Weaver wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On Tue, 1 Jan 2008 08:57:22 -0500
>>> Robert Moskowitz <rgm at htt-consult.com> wrote:
>>>> Have you ever thought about how rare floppy drives are now? At
best
>>>> you go with a bootable usb, if your notebook supports bootable
USB.
>>>> My Libretto does have a bootable floppy, but that is something
extra
>>>> to carry. It will not boot from anything else (besides its HD).
My
>>>> nc4010 (this notebook) will boot from usb. My corp notebook
(nc2400)
>>>> is locked down; and I don't see any value at getting corp
IT bent out
>>>> of shape.
>>>
>>> why would you even think about using a Notebook computer as a
firewall?
>>> I was assuming you were going to delegate this task to an older
machine
>>> with sufficient resources to handle the task and not give the task
to a
>>> notebook computer.
>>
>> I guess he wants it to be portable.
>>
>> He seems to be knowing his requirements a lot better than we do. It 
>> looks like he wants an easy firewall that would boot for HD only, 
>> cost nothing, and runs with usb ethernet devices.
>>
>> I really think he should carry an embedded firewall (like a soekris 
>> or a wrap) with pfsense on it.
>
> Old laptops make pretty good firewalls, I think. They take little 
> space, have a built-in battery backup and built-in keyboard/monitor to 
> use when you are visiting the datacenter. I have repurposed a couple 
> of older laptops for these reasons since the machine doesn't need to 
> be very fast to accomplish the mission. A lot of 3-4 year old laptops 
> cave in under the weight of Windows, but are really overkill for a 
> simple unix firewall. Better than sending them to the dustbin. 
I have a Dell notebook that functions as my backup Win2000 family 
finance system.

Next project is to see if I can reuse that old Toshiba 4000cdt box ;)

Mark Weaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 01 Jan 2008 10:32:14 -0500
> Ugo Bellavance <ugob at lubik.ca> wrote:
>
>   
>> I guess he wants it to be portable.
>>
>> He seems to be knowing his requirements a lot better than we do.  It 
>> looks like he wants an easy firewall that would boot for HD only,
>> cost nothing, and runs with usb ethernet devices.
>>
>> I really think he should carry an embedded firewall (like a soekris
>> or a wrap) with pfsense on it.
>>
>> Ugo
>>
>>     
>
> well... if he built a live CD that would essentially "be" a
portable
> firewall. Just boot the CD in what ever machine you've got it
> configured for and off you go.
>   
bad assumption about available CD.  But bootable USB is an option, and 
they are cheap enough (check out ecost countdowns), and hold more than a CD.


That will be coming next.  Centos on a USB drive.  DSL on USB is 
supposedly 'easy'.