[AccessD] NIX Firewalls

Tortise tortise at paradise.net.nz
Sun Jan 4 02:18:10 CST 2009


Hi Gustav

I am sorry this is not Linux, however... do allow me to introduce FreeBSD based http://pfsense.org?

This is a very good industrial level firewall.  Run it from CD, HDD or embedded flash, (some addons not possible in flash IDE) - it runs entirely in RAM.  An old PIII would probably be very capable. PII classes are often fine, depending on your intended use and its requirements. Can go P4 class CPU if required....

I do not understand its full capability and haven't configured multiple static IP's to its WAN.  

Virtual IP addresses can be set as proxyARP or CARP (or even other, whatever that is)  It seems once a Virtual IP address is set these can be selected for NAT.....

Multiple VPN options.

It is designed for WAN failover (in various modes also), which might be nice.

2009 may well also see VOIP integration, which will indeed make it a very capable piece of kit.

Sir, what else might be your fancy?

I'd be surprised if you can do better than this and would be pleased to hear if so!

Do let me know how you get on!

Kindest regards
David Hingston

PS Declaration of Interest:  No kickback arrangements are in place.


----- Original Message ----- 
From: "Gustav Brock" <Gustav at cactus.dk>
To: <accessd at databaseadvisors.com>
Sent: Saturday, January 03, 2009 10:35 AM
Subject: Re: [AccessD] Linux Server


.....

So you are running a Linux firewall? I guess that is a software firewall running on a Linux box made from standard pc hardware?
We have from time to time been thinking of going this route because we sometimes feel very tired of the limitations of the popular SOHO firewall/router from Zyxel and Draytek while Cisco stuff is too expensive but, to be honest, we don't know where to go and miss the time for serious investigation.

So what are your reasons to go this route, and can you put some recommendations for what software to choose?

A typical scenario not doable with the small routers is where you have eight outer addresses where you wish to be able to route any address and port to one or two internal LANs via NAT or a DMZ. Usually you can route _one_ address and any port to one internal LAN via NAT, or you can route any address and any port to one internal LAN _without_ NAT. Too bad.

/gustav



More information about the AccessD mailing list