[TriLUG] Slightly-OT: Firewalls

Ron Kelley rkelleyrtp at gmail.com
Mon Apr 18 21:40:10 EDT 2011 

For what its worth, pfSense has both DNS and DHCP functions built-in.  And, you *can* run snort as long as you have enough horsepower.  As mentioned before, I have a *few* pfSense firewalls running in the field that easily handle firewall + ipSec + DNS + DHCP + RRD graphing + SNMP + ...  With the right hardware, you can even configure your pfSense box to become a wireless access point.  

For me, the biggest advantage of pfSense is usability.  Once you understand how to configure firewall rules, configuring VIPs, site-to-site ipSec connections, failover pfSense boxes, DDNS, etc become a snap.  Plus, there are a ton of add-on packages for pfSense including snort, haproxy, squid proxy, country block, FreeSwitch, ...

I used to strictly be a Cisco ASA person until I found pfSense.  Now, I must have a very convincing argument to get a Cisco ASA instead of a pfSense box.


Oh, did I mention pfSense is free?



-Ron





On Apr 18, 2011, at 9:23 PM, Matt Flyer wrote:

> On Mon, 2011-04-18 at 22:22 +0000, Alexey Toptygin wrote:
>> On Mon, 18 Apr 2011, Jonathan Woodbury wrote:
>> 
>>> I'm a big fan of using commodity hardware for firewalls and routers.
>>> I personally haven't gotten into a distribution purpose built for this
>>> task.  Everything I've done has been using Debian and its standard
>>> repository of packages, usually iptables/ip6tables, radvd, racoon,
>>> ipsec-tools, openvpn, tc, and ntop.  The performance was great, the
>>> feature set was enormous, and I could backup, monitor, and manage the
>>> device just like all the other Linux servers in my network.
>> 
>> This is what I do as well. I usually also run bind for DNS recursion, ISC 
>> dhcpd3 for handing out DHCP leases, and hostapd and bridge-utils for 
>> WLANs. Now that I'm familiar with these tools, I find it only takes a few 
>> hours to whip up a new system from spare parts.
>> 
>> 			Alexey
> First, I would like to thank everyone for their input.   I hadn't
> considered using a PC for this purpose and didn't even realize that
> there are distributions dedicated to this purpose.
> 
> This last response is making me wonder about the feasibility of using
> one of the existing servers as the firewall in addition to its other
> functions (email and web).  I have the two servers already working as
> DHCP and DNS servers, backing each other up.  The traffic load is such
> that  on average I am using a fraction of one percent of the server
> capability.  (On the one machine I may increase the memory a little bit,
> but in shear throughput it isn't even sweating).  It looks like the
> requirements are rather modest.  pfSense calls for 200MHz processor and
> 128Mb of memory.  ClearOS is a little more intensive suggesting a 1 Gig
> processor with 512Mb-1Gig of ram for 5-10 years.  It points out that
> intrusion detection is a little intensive, so it may not be wise to run
> snort on the same machine as the firewall.  
> 
> 
> 
> -- 
> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions

More information about the TriLUG mailing list