Firewall - Linux or Router

I've got a small home network, wired and wireless, with a Linux
machine operating as a server for the internet.

I will soon change from my modem to ADSL and get an ADSL modem and
probably a router.

Any commenrs as to the prose and cons of Linux as a firewall as
opposed to the routers own firewalls.

Geoff Lane

> I've got a small home network, wired and wireless, with a Linux
> machine operating as a server for the internet.
>
> I will soon change from my modem to ADSL and get an ADSL modem and
> probably a router.
>
> Any commenrs as to the prose and cons of Linux as a firewall as
> opposed to the routers own firewalls.

The router will give you basic firewall functionality with very little
hassle. It's easy to set up, and network address translation all by itself
will do 90% of the work by blocking new inbound connections. Most routers
also allow some port-passing rules so you can run some services (e.g. ssh)
on the internet. This is definitely a good way to start.

If you find that you don't have enough control over your firewall
functionality, then with some work you can set up your Linux box as gateway
and firewall, and use your router as strictly a LAN router (and WAP). This
is what I do now, because with iptables I have total control over the
firewall. But it took some work to set up. If you decide to go this
route, have a look at fwbuilder, a GUI for firewall construction. Or, go
balls out: buy and read Linux Firewalls, 2nd ed., by Robert Zeigler, and
do what he says.

Good luck,
Andrew.

--
To reply by email, change "deadspam.com" to "alumni.utexas.net"

Geoff Lane wrote:

> I've got a small home network, wired and wireless, with a Linux
> machine operating as a server for the internet.
>
> I will soon change from my modem to ADSL and get an ADSL modem and
> probably a router.
>
> Any commenrs as to the prose and cons of Linux as a firewall as
> opposed to the routers own firewalls.

Linux can be much more flexible in what you do with it. I've got both. My
main firewall is Linux, but I have a wireless firewall/router between my
Linux firewall and cable modem. This way, my wireless access is outside my
firewall, which can only be penetrated with ssh or a vpn.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

On Thu, 02 Oct 2003 03:54:13 -0400, Andrew Schulman
<(E-Mail Removed)> wrote:

>> I've got a small home network, wired and wireless, with a Linux
>> machine operating as a server for the internet.
>>
>> I will soon change from my modem to ADSL and get an ADSL modem and
>> probably a router.
>>
>> Any commenrs as to the prose and cons of Linux as a firewall as
>> opposed to the routers own firewalls.
>
>The router will give you basic firewall functionality with very little
>hassle. It's easy to set up, and network address translation all by itself
>will do 90% of the work by blocking new inbound connections. Most routers
>also allow some port-passing rules so you can run some services (e.g. ssh)
>on the internet. This is definitely a good way to start.
>
>If you find that you don't have enough control over your firewall
>functionality, then with some work you can set up your Linux box as gateway
>and firewall,

Thanks for an in depth reply, the router will allow my handheld device
to access the internet very quickly without having to turn any other
computers on.

My gut reaction is that I'd prefer to route all via a Linux box but,
that does require the Linux computer to be on all the time.

Geoff Lane

Geoff Lane <(E-Mail Removed)> writes:

*snip*

>My gut reaction is that I'd prefer to route all via a Linux box but,
>that does require the Linux computer to be on all the time.

Power and noise requirements of a full Linux router are
a concern for some. Personally I used a silent low-power
PC to do the job. Took an old Shuttle SV-24 cube and
outfitted it for silent operation. C3-800 with a big
fat Zalman 3100 heatsink, one hard drive no CD-ROM. replaced
stock power supply with a no-fan unit from mini-box.com.
Only fan is a 92mm spinning at low RPM.
Uses about 20 Watts or so, which compares favorably
to the 7-10 Watts of typical SOHO router but is
much more powerful. Anyone could build something
like this easily, but mine is actually overkill
for what it does. A Via EPIA 5000 or something similar
bought in a package from someplace like caseoutlet.com
would be a bit more turnkey. Here's hoping that the lines
of tiny linux boxes will expand to where they are even
cheaper and easy to find small low-power quiet units.


--
Vincent Fox
Georgia Institute of Technology, Atlanta Georgia, 30332
uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!pri sm!vf5
Internet: (E-Mail Removed)

On Thu, 02 Oct 2003 08:20:24 +0100, Geoff Lane <(E-Mail Removed)> wrote:
> I've got a small home network, wired and wireless, with a Linux
> machine operating as a server for the internet.
>
> I will soon change from my modem to ADSL and get an ADSL modem and
> probably a router.
>
> Any commenrs as to the prose and cons of Linux as a firewall as
> opposed to the routers own firewalls.

I originally used Linux for adsl firewall, but got tired of worms and
probes filling firewall logs. So I used a broadband gateway that just let
in ssh, smtp and http. Eventually, my ISP (SBC) tried some new BRAS
hardware/software in place of Redback and many 3rd party routers including
my gateway were incompatible (something about PPPoE over L2TP). Although,
it was no problem for any software pppoe.

So I started using Linux again, and simply disabled logging any dropped
packets (I still log successful internet initiated connections). Because
of the problems with 3rd party routers, my ISP eventually switch back to
Redback, but I stuck with the Linux setup since I run smtp and http.

Using a "Kill A Watt" meter, my 2 older headless PCs (smtp, http,
crunching SETI@home), 1100VA UPS, 350VA UPS, dsl modem, switch/printserver
and WAP in the basement use 140 watts total. I use a wireless laptop for
terminal.

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

On Thu, 2 Oct 2003 14:03:25 +0000 (UTC), (E-Mail Removed) (Vincent
Fox) wrote:


>*snip*
>
>>My gut reaction is that I'd prefer to route all via a Linux box but,
>>that does require the Linux computer to be on all the time.
>
>Power and noise requirements of a full Linux router are
>a concern for some. Personally I used a silent low-power
>PC to do the job.

Thanks for the suggestion - it is amazing what one can do quite simply
when one puts one's mind to it.

Geoff Lane

On Thu, 2 Oct 2003 16:45:21 +0000 (UTC), (E-Mail Removed) (David
Efflandt) wrote:

>> I will soon change from my modem to ADSL and get an ADSL modem and
>> probably a router.
>>
>> Any commenrs as to the prose and cons of Linux as a firewall as
>> opposed to the routers own firewalls.
>
>I originally used Linux for adsl firewall, but got tired of worms and
>probes filling firewall logs. So I used a broadband gateway that just let
>in ssh, smtp and http. Eventually, my ISP (SBC) tried some new BRAS
>hardware/software in place of Redback and many 3rd party routers including
>my gateway were incompatible (something about PPPoE over L2TP). Although,
>it was no problem for any software pppoe.

Ah, that is an interesting slant, that is where the extra flexibility
of the Linux set up comes in to its own.

Geoff Lane

(E-Mail Removed) (Vincent Fox) wrote in message news:<blhb7d$bnp$(E-Mail Removed)>...
> Geoff Lane <(E-Mail Removed)> writes:
>
> *snip*
>
> >My gut reaction is that I'd prefer to route all via a Linux box but,
> >that does require the Linux computer to be on all the time.
>
> Power and noise requirements of a full Linux router are
> a concern for some. Personally I used a silent low-power
> PC to do the job. Took an old Shuttle SV-24 cube and
> outfitted it for silent operation. C3-800 with a big
> fat Zalman 3100 heatsink, one hard drive no CD-ROM. replaced

A hard drive draws approx. 10 Watts, including loads in power supply.

> stock power supply with a no-fan unit from mini-box.com.
> Only fan is a 92mm spinning at low RPM.
> Uses about 20 Watts or so, which compares favorably
> to the 7-10 Watts of typical SOHO router but is

One of our customer reports approx. 12 Watts average power with
a C3-800 and 128M Compact Flash drive. The whole box has no
heat or noise. They had to add some power indicators (LEDs)
so that people would not disturb the box while it's running.

....

Compact Flash Drive
http://ide-cf.info-for.us

(E-Mail Removed) (Sales for IDE-CF flash drive) writes:

>(E-Mail Removed) (Vincent Fox) wrote in message news:<blhb7d$bnp$(E-Mail Removed)>...
>> Geoff Lane <(E-Mail Removed)> writes:
>>
>> *snip*
>>
>> >My gut reaction is that I'd prefer to route all via a Linux box but,
>> >that does require the Linux computer to be on all the time.
>>
>> Power and noise requirements of a full Linux router are
>> a concern for some. Personally I used a silent low-power
>> PC to do the job. Took an old Shuttle SV-24 cube and
>> outfitted it for silent operation. C3-800 with a big
>> fat Zalman 3100 heatsink, one hard drive no CD-ROM. replaced

>A hard drive draws approx. 10 Watts, including loads in power supply.

I can't resist having a hard drive. Much though I loathe
the failure prone spinny things, they do come in handy for
one particular thing which is transparent proxy caching!
I use the IPCop router distro and it can cache the web accesses
using squid so that hits from different clients for the same thing
come from the cache instead of the internet. Of course a laptop
drive can reduce the power load a lot, but it is slower and it's
still a likely failure point in the long run.

>> stock power supply with a no-fan unit from mini-box.com.
>> Only fan is a 92mm spinning at low RPM.
>> Uses about 20 Watts or so, which compares favorably
>> to the 7-10 Watts of typical SOHO router but is

>One of our customer reports approx. 12 Watts average power with
>a C3-800 and 128M Compact Flash drive. The whole box has no
>heat or noise. They had to add some power indicators (LEDs)
>so that people would not disturb the box while it's running.

I wish more companies were selling these kinds of things
as prebuilt so I wouldn't feel obligated to roll my own.

I have thought that if I had a little low-power widget
like you describe, but one with enough RAM capability
that it might be fruitful to just make a 1-gig ramdisk
and use that for squid caching. Of course you'd lose content
in a power outage, but it would rebuild after some usage.


--
Vincent Fox
Georgia Institute of Technology, Atlanta Georgia, 30332
uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!pri sm!vf5
Internet: (E-Mail Removed)