A little over a week ago I posted asking about setting up a linux box
between an existing router and a switch in order to provide firewall
service to a subnet of machines. I was curious what experience others
had with this type of setup in terms of machines, configurations, and
the appropriateness of using linux in this manner.
There were basically three issues discussed in replies: hardware
requirements, configuration issues, and alternative options. I''ll
cover
these in that order.
The consensus seems to be that a PPro, P2, alpha, or newer sparc could
do the job. The main concern seems to be in getting the fastest bus
possible. However, Bryan Davis seems to be having great luck using a
P133.
Bryan Davis <davisb@execpc.com> wrote:
> I work at a large midwest ISP, and we have all our internal employee use
> computers running through a SOCKS5 firewall system. There are about 120
> computers that are running on this firewall on a daily basis through 10/100
> mbit network connections. The system it is runing is only a P133 with a
> SCSI hardrive. I run this at home also, and it works very well.
Seifried <seifried@seifried.org> pointed out that the 2.1 kernels seem
to have better network performance. Dave Cinge specifically mentioned
the Linux Router Project (http://www.linuxrouter.org/) and their work
in this area. He points out that traffic characteristics seem to have
a significant impact on the effective throughput:
Dave Cinege <dcinege@psychosis.com> wrote:
> We still don''t have any really good network performance benchmark
> figures using LRP [ Linux Router Project ], because we don''t have
a good
> net benchmark to use. From what I have seen linux chokes bit on small
> packets, but can do quite well with larger ones. In one example I saw
> the box could only handle 10Mb/s @64bytes, but at 1500byte packets it
> could do 100Mb no problem. I''d say avg traffic is closer to 1500
then it
> is 64. (to further complicate things any firewalling will effect this)
>
> Without question 200Mb/s is quite demanding and a ''real''
firewall will
> probably give you better performance. Of course we are talking VERY big
> money for such an item, and maybe $400 to build your own. The question
> is will LRP give adequite performance...I don''t know. I do know
people
> using it in 100Mb apps (myself included) but don''t know people
doing so
> at very high load.
As far as configuration is concerned, there were a number of approaches
mentioned. I''m basically going to perform IP filtering only for the
time being, no masquerading or proxies. The linux router project, the
firewall HOWTO, the bridging+firewall HOWTO, and the O''Reilly firewall
book were mentioned among others as good sources for information.
FYI I''m going to try to basically use the kernel firewall support in
2.0
and some proxy arp to get the job done. We''ll see...
Finally the drawbridge system for FreeBSD was mentioned as an
alternative. Some seem to have had better luck with this than with
with the linux firewall code. Others seem to be very happy with the
linux implementation.
Wietse Venema <wietse@porcupine.org> wrote:
> Have a look at drawbridge, a filtering bridge that runs at fddi speeds.
>
> ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/
Robert Hardy <rhardy@aurora.carleton.ca> wrote:
> IMHO from what I''ve seen so far Linux firewalling is still too
immature to
> depend on. You could depend on a firewall based on 2.0.x code however,
> it seems less secure, has a slightly buggy admin tool with a
> difficult interface. A 2.1.x series firewall has more security, a better
> designed system and admin tool but it is based on development code.
>
> We have had our best luck using drawbridge running on freebsd. I''m
almost
> certain it will work with FDDI. The card requirements are based on what
> FreeBSD supports.
Jeff Gray <jeffg@provenance.com.au> wrote:
> Definitely. On the grounds of stability, security & cost, it''s
an excellent
> solution.
>
> [snip]
>
> I''ve used Linux as a firewall for various companies for the past 4
> years. I''ve been very happy with it & never had grounds to
feel unhappy
> with it from a speed or maintenance point of view. I''m not an
expert in
> firewall security, but I''ve read extensively other
people''s comments on
> Linux as a firewall & never had grounds to feel that it was insecure
> when properly set up. My system runs essentially forever - I''ve
never
> _had_ to reboot to fix anything & never had it crash.
Thanks to everyone for the responses!
Rob Ross
Parallel Architecture Research Laboratory, Clemson University
mailto:rbross@parl.eng.clemson.edu
http://ece.clemson.edu/parl/rbross/
