Thinking of running a FreeBSD firewall with IPFW2, dualcore dual opterons...

[mb]

Anyone have any experience running a box like this as a firewall? We want to create a centrally managed firewall without the use of an expensive piece of Cisco hardware.

Our network consists of mostly large movie files between 10megs and 1gig.

The network will get very busy at times. Mainly because of hosted galleries.

Just curious if any of the programs out there use a similar type of firewall. Or any firewall at all.

Please discuss.

thanks,
marc

[CS-Jay]

freebsd has many firewalls in the ports collection. With a machine like that, I'm sure you'd have no problem at all. Not only can you use freebsd for a firewall, you can do do load balancing, etc.

inetd is the built in firewall, and there's tons of info on it out there. I have one running in my office.

if you have any questions, just hit me up.

[Jon Clark - BANNED FOR LIFE]

Bump for answers!

[fris]

neverd used ipfw2, just ipfw.

[SinisterStudios]

I have gigabit linux firewalls based on Smoothwalls code, they work like a dream.

Checkout Smoothwall.org, the corp version isnt free but it isnt expensive either

[vending_machine]

What happens when your firewall goes down, is it going to be a single point of failure or are you planning on having 2 boxes?

[duckduckgoose]

pf (originally from OpenBSD, but now part of FreeBSD as of 5-RELEASE) is also a great option for building firewalls on FreeBSD. The rules syntax feels more modern, and just makes more sense to me.

Depending on how many (hundreds? thousands?) of simultaneous sessions you're planning to have it control and monitor, dualcore dual opterons may even be overkill. Lots of RAM on a P4 box may surprise you on actual performance. I would also suggest using "hardware-based" network adapters (eg ones made by 3com, Intel) rather than the $5 Realtek cards people often try to throw at this stuff. It makes a big difference in high load situations, and the hardware based cards aren't THAT expensive anyways.

More info here on pf :
http://www.freebsd.org/doc/en_US.ISO...ewalls-pf.html

Alternately, you could take a look at some of the "Cisco-killer" open-source routing solutions available now. Vyatta is the big name in open-source router replacements using x86 hardware. These are not some SOHO "D-link" caliber routing solutions, but rather hardened OSS projects meant to replace Cisco equipment in real environments.

More on Vyatta :
http://www.vyatta.com/

[mb]

Quote:

Originally Posted by vending_machine

What happens when your firewall goes down, is it going to be a single point of failure or are you planning on having 2 boxes?

Yes, 2 for redundancy.

Thanks for the responses so far.

marc

[Spudstr]

pf is the new gift from gods. go with this. You can do wonders with PF.

[mb]

Good morning bump!

[micker]

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

[Spudstr]

Quote:

Originally Posted by micker

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

maybe he's going to slap on openVPN and do some VPN sessions.. a normal house box.. agree is over kill but once you get into vpn sessions.. it gets a less more cpu intensive

[mb]

Quote:

Originally Posted by micker

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

I'm enjoying these comments. I'm taking detailed notes and will post some questions soon.

thanks,

marc

[SinisterStudios]

Quote:

Originally Posted by micker

thats hardware is overkill! if youy want any help feel free to IM me, before I got into adult designed firewalls, and I'd be glad to help you.

I've made load balancing, 5 zone, gigabit firewalls on 300mhz geode chips, you dont need anything as high end as what you described.... Save it for a server... take an old pentium2 pc, build it outa that, and then get an old pentium 3 box and make a reverse squid proxy to make things really safe...

I agree, we have one of our checkpoint firewalls runs on a dual 2.4ghz xeon ibm server and there is never any load on that box even though we push alot of traffic through it. A system like you described is a bit overkill

[Spudstr]

Quote:

Originally Posted by SinisterStudios

I agree, we have one of our checkpoint firewalls runs on a dual 2.4ghz xeon ibm server and there is never any load on that box even though we push alot of traffic through it. A system like you described is a bit overkill

checkpoint runs native on splat boxes or Nokia IP boxes. Checkpoint wont create a high load as long as your doing basic FW/Natting. Start doing heavy amounts of VPN traffic through the tunnels. Watch your load creep on up

big cpu is only needed really when your dealing with encryption/decrption and depending on the keys.

Checkpoing FTW! but i still prefer the netscreens overall.

[mb]

any other thoughts before I close this one out?

thanks