[rescue] RFA: firewall

Jonathan C. Patschke jp at celestrion.net
Thu Jan 6 17:09:32 CST 2005 

On Thu, 6 Jan 2005, Phil Stracchino wrote:

> The hardware: Ultra5, USIIi/333, 256M, 9.1G, three 10/100 interfaces

This is what I'm upgrading to at home, but with less memory.

For reference, my current firewall/NAT/gateway is a SPARCclassic with
24MB of memory and an BigMac Ethernet card.  It works.  For talking to
the outside world via cable-modem, it's plenty fast enough--just don't
try to log in with ssh v2. :)

> - OpenBSD and PF?

I use OpenBSD.  If you're going to use OpenBSD, consider getting another
fxp card for your third interface.  The OpenBSD driver for hme does not
perform well under a load.  I can get -maybe- 15Mb/s on a 100Mb/s link
(yes, my speed/duplex agree on both ends and my cable is good).  With an
fxp in the same machine, I get about 80Mb/s.

Obviously if you're using this for an uplink to a WAN that's slower than
10baseT, this is not a problem.

> What's your recommendations, and why?

I like OpenBSD.  It's a small distribution.  The attitudes of the team,
though abrasive at times, are very security-conscious.  pf is very easy
to understand, even as your configuration grows in complexity.

Also, a nice thing about OpenBSD is that it's been doing IPsec forever,
so if you need a tunnel later, the software's all right there, and it's
well-integrated into the OS instead of being an afterthought, and it's
not a complete PITA like FreeSWAN.

You can't knock the ports, either.  Installing something like squid from
the ports Just Works, and is a nice addition to a gateway/firewall.  I
should point out that my SPARCclassic is doing this, as well.  It's
unhappy, and it swaps a lot, but it's plenty usable.  OpenBSD has a
very slim footprint for being such a featureful operating system.

-- 
Jonathan Patschke ) "I've built my whole system with [-fomit-frame-pointer]
Elgin, TX        (  cause it was recommended...as I don't care if a program
USA               ) crashes, not interested in finding out why."
                  (                    --Tim, Another Satisfied Gentoo User

More information about the rescue mailing list