Thinking of running a FreeBSD firewall with IPFW2, dualcore dual opterons... - GoFuckYourself.com

mb · 07-26-2006, 08:33 PM

Anyone have any experience running a box like this as a firewall? We want to create a centrally managed firewall without the use of an expensive piece of Cisco hardware.

Our network consists of mostly large movie files between 10megs and 1gig.

The network will get very busy at times. Mainly because of hosted galleries.

Just curious if any of the programs out there use a similar type of firewall. Or any firewall at all.

Please discuss.

thanks,
marc

CS-Jay · 07-26-2006, 08:57 PM

freebsd has many firewalls in the ports collection. With a machine like that, I'm sure you'd have no problem at all. Not only can you use freebsd for a firewall, you can do do load balancing, etc.

inetd is the built in firewall, and there's tons of info on it out there. I have one running in my office.

if you have any questions, just hit me up.

Jon Clark - BANNED FOR LIFE · 07-26-2006, 09:00 PM

Bump for answers!

fris · 07-26-2006, 09:15 PM

neverd used ipfw2, just ipfw.

SinisterStudios · 07-26-2006, 09:21 PM

I have gigabit linux firewalls based on Smoothwalls code, they work like a dream.

Checkout Smoothwall.org, the corp version isnt free but it isnt expensive either

vending_machine · 07-26-2006, 09:30 PM

What happens when your firewall goes down, is it going to be a single point of failure or are you planning on having 2 boxes?

duckduckgoose · 07-26-2006, 09:32 PM

pf (originally from OpenBSD, but now part of FreeBSD as of 5-RELEASE) is also a great option for building firewalls on FreeBSD. The rules syntax feels more modern, and just makes more sense to me.

Depending on how many (hundreds? thousands?) of simultaneous sessions you're planning to have it control and monitor, dualcore dual opterons may even be overkill. Lots of RAM on a P4 box may surprise you on actual performance. I would also suggest using "hardware-based" network adapters (eg ones made by 3com, Intel) rather than the $5 Realtek cards people often try to throw at this stuff. It makes a big difference in high load situations, and the hardware based cards aren't THAT expensive anyways.

More info here on pf :
http://www.freebsd.org/doc/en_US.ISO...ewalls-pf.html

Alternately, you could take a look at some of the "Cisco-killer" open-source routing solutions available now. Vyatta is the big name in open-source router replacements using x86 hardware. These are not some SOHO "D-link" caliber routing solutions, but rather hardened OSS projects meant to replace Cisco equipment in real environments.

More on Vyatta :
http://www.vyatta.com/

mb · 07-26-2006, 10:42 PM

Quote:

Originally Posted by vending_machine

What happens when your firewall goes down, is it going to be a single point of failure or are you planning on having 2 boxes?

Yes, 2 for redundancy.

Thanks for the responses so far.

marc

Spudstr · 07-26-2006, 11:11 PM

pf is the new gift from gods. go with this. You can do wonders with PF.

mb · 07-27-2006, 05:25 AM

Good morning bump!

micker · 07-27-2006, 05:39 AM

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

Spudstr · 07-27-2006, 06:42 AM

Quote:

Originally Posted by micker

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

maybe he's going to slap on openVPN and do some VPN sessions.. a normal house box.. agree is over kill but once you get into vpn sessions.. it gets a less more cpu intensive

mb · 07-27-2006, 08:14 AM

Quote:

Originally Posted by micker

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

I'm enjoying these comments. I'm taking detailed notes and will post some questions soon.

thanks,

marc

SinisterStudios · 07-27-2006, 09:50 AM

Quote:

Originally Posted by micker

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

I agree, we have one of our checkpoint firewalls runs on a dual 2.4ghz xeon ibm server and there is never any load on that box even though we push alot of traffic through it. A system like you described is a bit overkill

Spudstr · 07-27-2006, 10:36 AM

Quote:

Originally Posted by SinisterStudios

I agree, we have one of our checkpoint firewalls runs on a dual 2.4ghz xeon ibm server and there is never any load on that box even though we push alot of traffic through it. A system like you described is a bit overkill

checkpoint runs native on splat boxes or Nokia IP boxes. Checkpoint wont create a high load as long as your doing basic FW/Natting. Start doing heavy amounts of VPN traffic through the tunnels. Watch your load creep on up

big cpu is only needed really when your dealing with encryption/decrption and depending on the keys.

Checkpoing FTW! but i still prefer the netscreens overall.

mb · 07-27-2006, 07:09 PM

any other thoughts before I close this one out?

thanks

07-26-2006, 08:33 PM	#1
mb Confirmed User Join Date: May 2001 Location: San Diego Posts: 1,550	Thinking of running a FreeBSD firewall with IPFW2, dualcore dual opterons... Anyone have any experience running a box like this as a firewall? We want to create a centrally managed firewall without the use of an expensive piece of Cisco hardware. Our network consists of mostly large movie files between 10megs and 1gig. The network will get very busy at times. Mainly because of hosted galleries. Just curious if any of the programs out there use a similar type of firewall. Or any firewall at all. Please discuss. thanks, marc

07-26-2006, 08:57 PM	#2
CS-Jay Confirmed User Join Date: Oct 2003 Location: Command Central, West Palm Beach, Fl Posts: 1,794	freebsd has many firewalls in the ports collection. With a machine like that, I'm sure you'd have no problem at all. Not only can you use freebsd for a firewall, you can do do load balancing, etc. inetd is the built in firewall, and there's tons of info on it out there. I have one running in my office. if you have any questions, just hit me up. __________________ I do stuff - aIm CS_Jay_D

07-26-2006, 09:15 PM	#4
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	neverd used ipfw2, just ipfw. __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

07-26-2006, 09:21 PM	#5
SinisterStudios Confirmed User Join Date: Nov 2003 Location: New Joisey Posts: 3,087	I have gigabit linux firewalls based on Smoothwalls code, they work like a dream. Checkout Smoothwall.org, the corp version isnt free but it isnt expensive either __________________ SEOIP.com Multiple IP Webhosting Shared and Dedicated IP's - Multiple Class A's - From $1.99/ip

07-26-2006, 09:32 PM	#7
duckduckgoose Registered User Industry Role: Join Date: Mar 2006 Location: North Pole Posts: 82	pf (originally from OpenBSD, but now part of FreeBSD as of 5-RELEASE) is also a great option for building firewalls on FreeBSD. The rules syntax feels more modern, and just makes more sense to me. Depending on how many (hundreds? thousands?) of simultaneous sessions you're planning to have it control and monitor, dualcore dual opterons may even be overkill. Lots of RAM on a P4 box may surprise you on actual performance. I would also suggest using "hardware-based" network adapters (eg ones made by 3com, Intel) rather than the $5 Realtek cards people often try to throw at this stuff. It makes a big difference in high load situations, and the hardware based cards aren't THAT expensive anyways. More info here on pf : http://www.freebsd.org/doc/en_US.ISO...ewalls-pf.html Alternately, you could take a look at some of the "Cisco-killer" open-source routing solutions available now. Vyatta is the big name in open-source router replacements using x86 hardware. These are not some SOHO "D-link" caliber routing solutions, but rather hardened OSS projects meant to replace Cisco equipment in real environments. More on Vyatta : http://www.vyatta.com/ __________________ rRhino.com ...social networking for book fans...

07-26-2006, 09:00 PM	#3
Jon Clark - BANNED FOR LIFE North Coast Pimp Join Date: Dec 2005 Location: 304-534-757 Posts: 9,395	Bump for answers!

07-26-2006, 09:30 PM	#6
vending_machine Confirmed User Join Date: Jun 2002 Location: Seattle Posts: 1,062	What happens when your firewall goes down, is it going to be a single point of failure or are you planning on having 2 boxes?

07-26-2006, 11:11 PM	#9
Spudstr Confirmed User Industry Role: Join Date: Jan 2003 Location: In a Tater Patch Posts: 2,321	pf is the new gift from gods. go with this. You can do wonders with PF. __________________ Managed Hosting - Colocation - Network Services Yellow Fiber Networks icq: 19876563

07-27-2006, 05:25 AM	#10
mb Confirmed User Join Date: May 2001 Location: San Diego Posts: 1,550	Good morning bump!

07-27-2006, 05:39 AM	#11
micker Confirmed User Join Date: Nov 2005 Location: Metro Detroit Posts: 748	thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you. I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

07-27-2006, 07:09 PM	#16
mb Confirmed User Join Date: May 2001 Location: San Diego Posts: 1,550	any other thoughts before I close this one out? thanks