appliance firewall

Hi All,

Can anyone recommend an appliance firewall for
a small business? Nice if it had Linux and
iptables inside.

Many thanks,
-T

Keith Keller wrote:
> On 2009-05-07, ToddAndMargo <(E-Mail Removed)> wrote:
>> Can anyone recommend an appliance firewall for
>> a small business? Nice if it had Linux and
>> iptables inside.
>
> Anything that runs openwrt should work fine as a firewall. What exactly
> do you mean by ''appliance''?

A box that hangs on the wall. Very little user interaction, except
maybe a web page to configure it (or some such).

> Do you want it to do things other than
> firewall/NAT?

Firewall/NAT/router/port forwarding. But it must be a *real* firewall.
NAT *is not* a firewall.

-T

On May 7, 10:45 pm, ToddAndMargo <ToddAndMa...@NoSpam.verizon.net>
wrote:
> [...]
> Firewall/NAT/router/port forwarding. But it must be a *real* firewall.
> NAT *is not* a firewall.

Then you might want this kind of product:

<http://www.sonicwall.com/>

I've installed 100s over the years and not one has even been
compromised. Current home/SOHO model is TZ180; my TZ170 has
provided years of infallible service.

Their PRO series work great for medium-sized companies.

On 05/08/2009 02:12 AM, Thad Floryan sent:
> On May 7, 10:45 pm, ToddAndMargo <ToddAndMa...@NoSpam.verizon.net>
> wrote:
>> [...]
>> Firewall/NAT/router/port forwarding. But it must be a *real* firewall.
>> NAT *is not* a firewall.
>
> Then you might want this kind of product:
>
> <http://www.sonicwall.com/>
>
> I've installed 100s over the years and not one has even been
> compromised. Current home/SOHO model is TZ180; my TZ170 has
> provided years of infallible service.
>
> Their PRO series work great for medium-sized companies.

Hello Thad:

At about $293USD you buy the TZ180. Then, for $490USD per year, you
rent their software and update service. At almost $800USD for the first
year's outlay, the TZ180 needs to do a lot for a SOHO.

Regards,

Pete
--
1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]

On May 8, 2:48 am, 1PW <barcrnahgjuvf...@nby.pbz> wrote:
> On 05/08/2009 02:12 AM, Thad Floryan sent:
> > [...]
> > Then you might want this kind of product:
>
> > <http://www.sonicwall.com/>
>
> > I've installed 100s over the years and not one has ever been
> > compromised. Current home/SOHO model is TZ180; my TZ170 has
> > provided years of infallible service.
>
> > Their PRO series work great for medium-sized companies.
>
> Hello Thad:
>
> At about $293USD you buy the TZ180. Then, for $490USD per year, you
> rent their software and update service. At almost $800USD for the first
> year's outlay, the TZ180 needs to do a lot for a SOHO.

It actually does, but one needn't purchase all the options. The
software has been solid for years and I never purchased the long-term
update service especially since there's a great Yahoo support group,
so
the only cost (for me) has been the one-time purchase price.

Even their large rackmount units are easy to configure and are rock-
solid,
hence the appellation "appliance". Much, much easier to setup than the
comparable products from Cisco and other vendors, and even setting up
a
DMZ is trivial.

I was using one of their "SOHO 2" units for about 10+ years on dialup
and
Sprint Broadband with VPN, 3DES, etc. and the only reason I sold that
one
to a client and bought the TZ-170 was for the higher WAN speeds I now
have
available.

The only annoyance is that everything on one's LAN is "seen" as a
node,
including printers that use NTP, so a naive person would opt for the
25
node license instead of the stock 10 node license. What I did to get
around that was place a US$50 Linksys BEFSR41 Version 4.3 between the
TZ-170 and my LAN and now the TZ-170 thinks there's only one node even
though I have almost 50 systems here. :-)

FWIW, double-NAT has not caused any problems whatsoever with anything
I do on the 'Net (online banking, web surfing, even online gaming) and
there have been zero intrusions. ALso FWIW the Sonicwall products can
be
set to "stealth" mode meaning it doesn't reveal itself on the WAN.

Product longevity, reliability and low cost per year are big pluses.
It's truly a plug'n'play appliance. Mine's been up for 117 days now
and that's only because my local cable provider was offline for awhile
one evening back in February when they switched over to DOCSIS 3.0
and I didn't know what happened so I cycled the TZ-170; it normally
will stay up for years because mine is on a UPS.

"Keith Keller" <kkeller-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

>> Can anyone recommend an appliance firewall for a small business?
>> Nice if it had Linux and iptables inside.
>
> Anything that runs openwrt should work fine as a firewall. What exactly
> do you mean by ''appliance''? Do you want it to do things other than
> firewall/NAT?

Ironing the clothes and washing the dishes would be nice. <g>

Really though, all seriousness aside, we simply use an old headless computer
with 2 network interfaces running Centos and iptables. with sshd listening
on the "inboard" interface. One could also have webmin listening, but it's
bever been necessary here. ssh and vi[m] handle all our editing needs for
the iptables.

Thad Floryan wrote:
> On May 7, 10:45 pm, ToddAndMargo <ToddAndMa...@NoSpam.verizon.net>
> wrote:
>> [...]
>> Firewall/NAT/router/port forwarding. But it must be a *real* firewall.
>> NAT *is not* a firewall.
>
> Then you might want this kind of product:
>
> <http://www.sonicwall.com/>
>
> I've installed 100s over the years and not one has even been
> compromised. Current home/SOHO model is TZ180; my TZ170 has
> provided years of infallible service.
>
> Their PRO series work great for medium-sized companies.

Thank you!

Greg Russell wrote:
> "Keith Keller" <kkeller-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>> Can anyone recommend an appliance firewall for a small business?
>>> Nice if it had Linux and iptables inside.
>> Anything that runs openwrt should work fine as a firewall. What exactly
>> do you mean by ''appliance''? Do you want it to do things other than
>> firewall/NAT?
>
> Ironing the clothes and washing the dishes would be nice. <g>
>
> Really though, all seriousness aside, we simply use an old headless computer
> with 2 network interfaces running Centos and iptables. with sshd listening
> on the "inboard" interface. One could also have webmin listening, but it's
> bever been necessary here. ssh and vi[m] handle all our editing needs for
> the iptables.
>

No frozen yogart?!?!?

A linux box would be way over their heads. I do this (Linux box)
for other customers, but one does have to know the limitations
of their customers.

-T

mr.b wrote:
> On Fri, 08 May 2009 05:45:13 +0000, ToddAndMargo pronounced unto the
> world:
>
>> But it must be a *real* firewall.
>> NAT *is not* a firewall.
>
> I'm fairly certain Mr. Keller wasn't suggesting that NAT=firewall
>
Hi mr.b,

I have another customer I am trying to convince he needs
a real firewall, not just a $15.00 NAT box.

Do you know of any good references I can point him to?

-T

On May 8, 12:03 pm, ToddAndMargo <ToddAndMa...@NoSpam.verizon.net>
wrote:
> [...]
> A linux box would be way over their heads. I do this (Linux box)
> for other customers, but one does have to know the limitations
> of their customers.

Exactly why appliances such as the Sonicwall products meets so
many peoples' needs. I'm not "pushing" Sonicwall's stuff though
I use them; there are other similar products from other vendors
readily available.

Google "firewall appliance" for more choices.

I've been happy with Sonicwall products for over 17 years now.