[unisog] Suggestions for bridging firewall?

Steve Bernard sbernard at gmu.edu
Tue Oct 29 04:46:06 GMT 2002


Peter,

I'll second the OpenBSD suggestion. The bridging code, firewall (pf or ipf),
and IPSEC stack are all very good. Even with the learning curve you should
be up and running within a week, and I'm assuming no BSD specific experience
(Open, Free, Net). The total job, not including VPN or firewall rules,
requires editing 3 lines and rebooting (see below). The VPN part is the most
technical, assuming you'll want an IPSEC VPN daemon. If VPN won't be used
extensively then something like a PIII 1GHz with 256MB RAM will do just fine
by itself. I recommend hardware encryption acceleration for more demanding
VPN usage. Once you've gained some experience it isn't too hard to create a
firewall that boots off of a CD and runs completely in memory.

You are correct that an appliance will be easier to setup assuming no
experience with either. It really comes down to what you need to accomplish,
how much time you have, and how much you want to spend. You could have an
OpenBSD/FreeBSD/Linux based bridged firewall up in a week, for about $500
(mobo, CPU, RAM, NICs, floppy, case), if you don't already have usable
parts. I did a quick search on the SonicWall Pro 100, which supports
75Mb/firewall and 20Mb/VPN. This includes 1 VPN client license. The
appliance is $1000, 1 year 8x5 support is $140, a 10-user VPN license is
$230, and VPN client software is $430. So, to protect unlimited nodes at up
to 75Mbps and allow 10 VPN users will cost approximately $1800 initially and
$140 each year after that. Given your scenario both boxes will sit quietly
in a corner or rack and do their thing. With this class of device, what you
get from a vendor is a browser based GUI, integrated support for SNMP and
RADIUS authentication, and some paid tech support, vs. no firewall specific
GUI, free tech support, and having to install SNMP and RADIUS support
yourself, if desired. Both require you to use a third-party tool for
reporting. Once you've figured out how to accomplish what you want with
OpenBSD/FreeBSD/Linux, the cost to rollout additional devices is negligible
while the cost of commercial tools keeps multiplying. If you were looking
for gigabit throughput and enterprise wide reporting and management tools I
would make other suggestions but, with what you've told us, I'd save my
money and go with the Freeware/Open Source tools.

"Give a man a fish; you have fed him for today. Teach a man to fish; and you
have fed him for a lifetime"

Which is quite apropos seeing as the OpenBSD mascot is a prickly puffer
fish.


OpenBSD: http://www.openbsd.org/
pf: http://www.benzedrine.cx/pf.html

Transparent Packet Filtering with OpenBSD
http://ezine.daemonnews.org/200207/transpfobsd.html

Building an OpenBSD 3.0 firewall with pf
http://www.isber.ucsb.edu/~randall/firewall/openbsd-pf-firewall.html

"Building Linux and OpenBSD Firewalls", Sonnenreich, Yates, et al., Wiley
Press.
ISBN #0-471-35366-3


Regards,

Steve Bernard
Systems Engineer, NET
George Mason University


Example:

/etc/sysctl.conf -> net.inet.ip.forwarding=1
/etc/rc.conf -> pf="YES"
/etc/bridgename.bridge0 -> add <interface 0> add <interface 1> up

shutdown -r now <- to reboot the computer


-----Original Message-----
From: Peter Ruprecht [mailto:ruprech at jilau1.Colorado.EDU]
Sent: Monday, October 28, 2002 11:25 AM
To: unisog at sans.org
Subject: [unisog] Suggestions for bridging firewall?


Hi,

We're looking for a (stateful) bridging firewall to sit on the 100Mb/s
connection between our department and the rest of campus, which is also
our link out to the open internet.  Normally, our 15-min traffic
average on this connection is less than a few Mb/s, but occasionally we'll
burst up to 60Mb or so.  Does anyone have any recommendations for
solid, easy-to-use products?

I have played around with a Linux box and iptables, but maybe a
commercial appliance would be easier to use and more feature-ful.  Any
insight would be greatly appreciated!

Thanks,
Pete

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Peter Ruprecht
Computing Group, JILA, Rm S220  phone: (303) 492-8255
University of Colorado-Boulder  fax: (303) 492-5235
440 UCB                         email: Peter.Ruprecht at jila.colorado.edu
Boulder, CO 80309-0440          http://jilawww.colorado.edu/~ruprech



More information about the unisog mailing list