[TriLUG] Firewall hardware recommendations?

Chris Hedemark chris at yonderway.com
Tue Aug 14 16:54:29 EDT 2001 

Jeremy said:
> I'm interested in setting up a basic firewall to protect a few servers in
> a DMZ-type setup.  We have a locked-down firewall (a vendor's proprietary
> product) for internal computers, but it doesn't have the options for a DMZ
> that I need.  I'm looking to spec-out a basic computer to use for a
> firewall, but budget is VERY minimal.  Of course it will run Linux. :)

I imagine you are looking for a *new* computer and not something recycled?

That said, Intrex has some decent Abit motherboards with IDE RAID onboard
that support the el-cheapo Duron processor.  This is overkill for a firewall
box.  Memory there is now $39 for a 256MB DIMM (PC133 SDRAM).  Get two (read
further for more details).

> Since either IP tables or IP chains is kernel based, only processor and
> memory should really matter, right?

Almost anything new is going to easily handle a single T1.

> I'd like to use RAID for
> fault-tolerance, but is software raid with IDE drives okay, since the
> machine doesn't access the disks too much?

Software RAID is generally a miserable thing to deal with, especially in the
event of a hardware failure.  Hardware RAID is far more desirable.  For a
firewall box I think onboard IDE RAID is fine.  SCSI RAID is overkill.

> What processor speed and memory can I get away with?

Cheapest Duron available today.  I'm going to guess that is 700MHz.  If it
is only $5-$10 more for 800MHz why not spend the extra money to speed up
compile time?  If this is a firewall you're going to be recompiling the
kernel often.

For memory I said to get 512MB for two reasons.  One, it's DIRT CHEAP right
now.   Two, you can conserve a lot of bandwidth if you run Squid on your
firewall and route all http traffic through squid.  The more RAM you have
the better squid will work.

> I would classify our
> traffic level as "small to moderate" -- everything is behind a T1 anyway,
> so that limits traffic to some extent.  Maybe 10,000 hits/day on web
> servers, plus other stuff (FTP, some streaming media stuff).  Also, can I
> just use StayOnline's basic $22 netgear card for the Ethernet cards?

The Netgear cards are pretty good.  The 3Com cards they have are great too.
I've had better luck with the 3Com cards being autodetected.  As recently as
Red Hat 6.2 I've had problems with the Netgears being detected in several
boxes.  7.1 seems to have improved autodetection for Netgear cards though.

More information about the TriLUG mailing list