Linux firewall on P166

I was planning to run an ipchains/iptables based firewall for my
network on a P166, 64MB RAM with 3 SCSI2 HDDs. I was wondering,
however, if that was enough of a machine to run it. That's all I plan
for it to be - a bare bones Linux install (Debian/RedHat) that runs a
firewall.

Is that enough horsepower?

Thanks,

Varun

Varun Sinha wrote:
> I was planning to run an ipchains/iptables based firewall for my
> network on a P166, 64MB RAM with 3 SCSI2 HDDs. I was wondering,
> however, if that was enough of a machine to run it. That's all I plan
> for it to be - a bare bones Linux install (Debian/RedHat) that runs a
> firewall.

I'm not fully sure that such as a setup could be enough, especially
regarding the amount of RAM; the CPU should be always fine.
Try to keep as less running services as you can, provide much RAM if you
find some spare SIMMs or - better - use IpCop www.ipcop.org, that makes use
of a specially-tailored kernel. I've installed one on a 486DX4-100 and 32MB
RAM and it works; is quite slow with the admin webpages, but no impact on
traffic.

Ciao
Luca
--
Luca Sasdelli
Microsoft MVP - Networking, Windows NT/2000/XP
http://mvp.support.microsoft.com

Varun Sinha wrote:

> Is that enough horsepower?
>

It's more than enough. My current firewall runs on a Pentium 166 MHz and
runs about 99% idle. My previous firewall ran on a 486 DX2-66 and was
typically 94% idle.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

Varun Sinha wrote:
> I was planning to run an ipchains/iptables based firewall for my
> network on a P166, 64MB RAM with 3 SCSI2 HDDs. I was wondering,
> however, if that was enough of a machine to run it. That's all I plan
> for it to be - a bare bones Linux install (Debian/RedHat) that runs a
> firewall.
>
> Is that enough horsepower?

Should be more than enough, if you intend just firewalling with this box.

I personally use a P133, 72 MB RAM and 2 HD (one 640MB IDE and one 2GB SCSI).

This box is used as:
firewall (IPTables/Netfilter)
mailbox (fetchmail to my ISP)
HTTP Proxy (Squid)
DNS server (dnsmasq, very good piece of code !)
NTP server (chrony)
and it is connected to my Alcatel Speedtouch USB ADSL modem.

And it's still asking for (a little bit) more ;o)

Here is what top gave me (just now):
top - 15:14:19 up 17 days, 22:41, 3 users, load average: 0.38, 0.29, 0.22
Tasks: 46 total, 1 running, 45 sleeping, 0 stopped, 0 zombie
Cpu(s): 14.9% user, 0.6% system, 0.0% nice, 84.5% idle
Mem: 70668k total, 68284k used, 2384k free, 24268k buffers
Swap: 78620k total, 37704k used, 40916k free, 10508k cached

/dev/rob0 wrote:

> It certainly is. The minimum requirement for a Linux firewall is the
> minimum hardware requirement for the Linux kernel itself: 386 CPU, 4MB
> RAM. It's difficult to do much with 4MB RAM, but 8MB is adequate and
> 16MB is overkill.

:-)

> Admin webpages? What's all this?

By mentioning IpCop, it uses a web interface to administer configuration and
services; it should be used only at installation time, and only each time a
service needs to have specific ports ot NAT mods; therefore, it shouldn't
run all the time, but it's part of the system.

IpCop appears to me being a quite good solution with small machines, just
because, for security reasons, its kernel is really a hard cut-down of a
linux one, thus having only the basic needed services, and as a side effect
it uses very few system resources and it can easily fit on a very slow pc.

Ciao
Luca

--
Luca Sasdelli
Microsoft MVP - Networking, Windows NT/2000/XP
http://mvp.support.microsoft.com

Varun Sinha wrote:

> I was planning to run an ipchains/iptables based firewall for my
> network on a P166, 64MB RAM with 3 SCSI2 HDDs. I was wondering,
> however, if that was enough of a machine to run it. That's all I plan
> for it to be - a bare bones Linux install (Debian/RedHat) that runs a
> firewall.

P150, 8 GB ATA-33 HDD, 32 MB ram. Debian 3.0, kernel 2.4.18. Ran iptables
firewall, qmail, fetchmail, spamd, apache, sshd, courier-imapd... the only
occasion when I would've liked more powerful system was when I recompiled my
kernel five times in a row...

HTH...

--
Timo Voipio | Helsinki, Finland | ICBM at: 60 11.800 N 024 52.760 E
GeekCode ver 3: GU>CC d s-: a--- C++ UL(+)$>+++$ P+>+++ L++(+) E- W++ N++
o? K? w O M- V- PS PE Y+ PGP+ t 5++ X R tv- b++(++++) DI+ D G e- h! r !y
Remove +newsharvested to e-mail me | Poista +newsharvested jos meilaat

Short answer. YES. Long answer, see below.

Varun Sinha wrote:

> I was planning to run an ipchains/iptables based firewall for my
> network on a P166, 64MB RAM with 3 SCSI2 HDDs. I was wondering,
> however, if that was enough of a machine to run it. That's all I plan
> for it to be - a bare bones Linux install (Debian/RedHat) that runs a
> firewall.
(Hoping I don't get lynched)
Do you *have* to use a Linux?
OpenBSD was desigined primarily for secure firewall/routing, runs on most
old hardware, and has a smaller footprint than most of the Linux distros
I've installed.
http://www.openbsd.org

If Linux is the only way for you, I'd go with the recomendation of another
poster and go with Slackware. A friend of mine has been running Slack for
as long as I can remember, and he keeps trying to convert me. ;-)$

> Is that enough horsepower?

Definatly. A 486/66 32MB firewalled a T1 for a tech school I attended years
ago. There was no differance in bandwidth from before it was installed to
after, and as a bonus, it was set as a transparant firewall, so the
admins/students didn't have to change any settings.

--PC
"Of course, that's just my opnion. I might be wrong"

|> IpCop appears to me being a quite good solution with small machines, just
|> because, for security reasons, its kernel is really a hard cut-down of a
|
|You do not seem to understand. You can customise a Linux kernel for ANY
|machine running ANY distro. I made reference to that before. Do you

Luca has the usual confusion with a Linux kernel and a Linux distro.
--

|IMHO, if a user asks for a given hardware capability, probably it's not the
|case to post a detailed kernel compilation description, what to enable and
|what don't and so on; this topic I think could be seen further in thread.
|But this is just my meaning, and I can be wrong as anybody else. Therefore,
|I suggest IpCop because it's simply ready to run with minimal resources for
|*that* purpose.

Yes, but what you claimed was that the IPCop kernel was tuned to be
small. The reason IPCop has a small footprint is not because the kernel
is especially small but because the number of servers available are
limited. The IPCop kernel uses loadable modules, like most other
distros. I can make RH run on little memory too, but I'd have to disable
the GUI, turn off various servers, etc. IPCop has already removed all of
that, you don't get the choice anymore. Also I think the recent IPCop
uses ulibc and busybox instead of glibc. I can do that with RH too, but
it would be extra work. It's all user space stuff that's taking up the
memory and disk, not the kernel per se.

Now it might be true that the older IPCop distros were smaller because
they used 2.2 kernels, but the recent 1.3 distro has gone to 2.4.

|If your opinion is that I don't have enough knowledge, is just your fault,
|not mine :-)

Just a confusion in terminology on your part perhaps.
--

/dev/rob0 wrote:

> Admin webpages? What's all this? You're talking about running another
> service. A 386 with 8MB can manage bash and iptables fine. Mine also did
> dhcpd and ntpd for all my local machines.

For securtity reasons, it's not a good idea to run anything more than
necessary on a firewall. The more that's running, the greater potential
for security problems.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.