[TriLUG] Best appliance for Linux firewall?

Ken Mink ken.mink at gmail.com
Fri Aug 9 13:15:55 EDT 2013


On 8/9/13 6:38 AM, Steve Litt wrote:
> On Thu, 08 Aug 2013 15:12:23 -0400
> Ken Mink <ken.mink at gmail.com> wrote:
>
>> On 08/08/2013 09:57 AM, Brian Henning wrote:
>>> Hi Gang!
>>>
>>> At home, pretty much all my services and stuff run on a single box,
>>> and that box is starting to collapse under the weight.  I'm ready
>>> to start divvying up functions across discrete devices.  First to
>>> go is the firewall; not a heavy-hitter, but easy to carve off.  So,
>>> what do people suggest as the best appliance-form-factor Linux
>>> computer?  Obviously 2+ NICs is the biggest priority.  Here's what
>>> I've considered so far:
>>>
>>> 1) WRT54GL + OpenWRT
>>>     Pros: Inexpensive, solid
>>>     Cons: Don't need another WAP
>>>
>>> 2) Globalscale Mirabox
>>>     Pros: Fast ARM CPU, could host additional services w/ outboard
>>> USB HDD Cons: Globalscale's iffy reputation, relatively unproven
>>> product, more expensive, possible to perma-brick
>>>
>>> 3) ???
>> I use a SheevaPlug with a cheap USB NIC for the second port. It runs
>> DHCP and Bind as well as a home-grown firewall script. It uses an SD
>> card as main storage, so you buy what you think you'll need. It's
>> also has a built-in JTAG port, so it's difficult to brick.
>>
>> Ken
> Ken, Do you use the USB NIC on the Internet side of the firewall? Does
> it have enough speed not to be a bottleneck to your broadband
> connection? How much bandwidth are you getting through it?
>
> I hear endless debates about whether or not a USB NIC can carry the
> load, so I'm really glad to meet someone actually doing it.
>
> Thanks,
>
> SteveT
Steve,

The USB NIC is used for the internet side. I've got the 15/1 TWC 
service. I've not done any real testing, but I've also not ever thought 
I'm not getting all that I should.

Something else that I like about the sheeva; since it's got a built in 
jtag(which is usb), I leave it plugged into another machine and I can 
get on the console any time. That can come in handy when you put in a 
bad rule and have blocked ssh or done something equally annoying.

Ken


More information about the TriLUG mailing list