Firewalls
-
My Cisco PIX firewall died a couple of weeks ago. To immediately solve my Internet security, I downloaded Mandrake MultiNetwork Firewall (MNF) that uses Shorewall and iptables. Installation and setup on a dual ethernet card, PII/233 with 128 MB RAM (which was lying aroung unused) took about 15 minutes. By default, it had all traffic restricted. Adding IP Masquerading (PAT) for external Internet access, adding static NATs for my servers and putting in appropriate access rules took another 10 minutes. Including the download, CD writing, installation and configuration, it took me 2 hours to finish it. It has been running great ever since. It never uses more than 10% CPU, and 40 MB of RAM. In addition, it stores 5 minute aggregated samples of network traffic for upto a year. Although my machine does not give me the luxury to do it, it has a web proxy with cacheing. But, I have the DHCP server running. It also has a cacheing DNS and two freeware IDSs, both of which I do not use now. It also allows unlimited IPSec VLAN clients, and a DMZ zone (if a third Ethernet card is installed) Considering all this, to me it seems that this setup is better than/equal to the PIX I had. If I get an entry level IU rack server for less than a 1000 dollars, I can have a firewall and less than 1/3rd the cost of an entry-level PIX. What is the drawback of this software, that makes PIX, Watchguard, Checkpoint etc. the major players in this domain? My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
-
My Cisco PIX firewall died a couple of weeks ago. To immediately solve my Internet security, I downloaded Mandrake MultiNetwork Firewall (MNF) that uses Shorewall and iptables. Installation and setup on a dual ethernet card, PII/233 with 128 MB RAM (which was lying aroung unused) took about 15 minutes. By default, it had all traffic restricted. Adding IP Masquerading (PAT) for external Internet access, adding static NATs for my servers and putting in appropriate access rules took another 10 minutes. Including the download, CD writing, installation and configuration, it took me 2 hours to finish it. It has been running great ever since. It never uses more than 10% CPU, and 40 MB of RAM. In addition, it stores 5 minute aggregated samples of network traffic for upto a year. Although my machine does not give me the luxury to do it, it has a web proxy with cacheing. But, I have the DHCP server running. It also has a cacheing DNS and two freeware IDSs, both of which I do not use now. It also allows unlimited IPSec VLAN clients, and a DMZ zone (if a third Ethernet card is installed) Considering all this, to me it seems that this setup is better than/equal to the PIX I had. If I get an entry level IU rack server for less than a 1000 dollars, I can have a firewall and less than 1/3rd the cost of an entry-level PIX. What is the drawback of this software, that makes PIX, Watchguard, Checkpoint etc. the major players in this domain? My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
Thomas George wrote: What is the drawback of this software, that makes PIX, Watchguard, Checkpoint etc. the major players in this domain? "Linux". It's "too complicated", and "takes too long", and beyond that, "we're a Windows shop". You know, all of those "good reasons". ------- signature starts "...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 Please review the Legal Disclaimer in my bio. ------- signature ends
-
Thomas George wrote: What is the drawback of this software, that makes PIX, Watchguard, Checkpoint etc. the major players in this domain? "Linux". It's "too complicated", and "takes too long", and beyond that, "we're a Windows shop". You know, all of those "good reasons". ------- signature starts "...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 Please review the Legal Disclaimer in my bio. ------- signature ends
It is sad.. but someone should install rack machines with MNF and sell them as firewalls. My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
-
My Cisco PIX firewall died a couple of weeks ago. To immediately solve my Internet security, I downloaded Mandrake MultiNetwork Firewall (MNF) that uses Shorewall and iptables. Installation and setup on a dual ethernet card, PII/233 with 128 MB RAM (which was lying aroung unused) took about 15 minutes. By default, it had all traffic restricted. Adding IP Masquerading (PAT) for external Internet access, adding static NATs for my servers and putting in appropriate access rules took another 10 minutes. Including the download, CD writing, installation and configuration, it took me 2 hours to finish it. It has been running great ever since. It never uses more than 10% CPU, and 40 MB of RAM. In addition, it stores 5 minute aggregated samples of network traffic for upto a year. Although my machine does not give me the luxury to do it, it has a web proxy with cacheing. But, I have the DHCP server running. It also has a cacheing DNS and two freeware IDSs, both of which I do not use now. It also allows unlimited IPSec VLAN clients, and a DMZ zone (if a third Ethernet card is installed) Considering all this, to me it seems that this setup is better than/equal to the PIX I had. If I get an entry level IU rack server for less than a 1000 dollars, I can have a firewall and less than 1/3rd the cost of an entry-level PIX. What is the drawback of this software, that makes PIX, Watchguard, Checkpoint etc. the major players in this domain? My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
Quick question: Whick Linux distribution did you use? Mike Stanbrook mstanbrook@yahoo.com
-
Quick question: Whick Linux distribution did you use? Mike Stanbrook mstanbrook@yahoo.com
It is a Linux Mandrake MultiNetwork Firewall. The installation itself does the whole firewall part. It has a web interface to configure on port 8443, and will be enabled by default. When you install, you should give a valid IP address for atleast your internal ethernet interface - so that configuring is easy. Once the firewall is configured and running, port 8443 will be enabled only on your inside interface. which you access by using https://ipaddress:8443 My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
-
My Cisco PIX firewall died a couple of weeks ago. To immediately solve my Internet security, I downloaded Mandrake MultiNetwork Firewall (MNF) that uses Shorewall and iptables. Installation and setup on a dual ethernet card, PII/233 with 128 MB RAM (which was lying aroung unused) took about 15 minutes. By default, it had all traffic restricted. Adding IP Masquerading (PAT) for external Internet access, adding static NATs for my servers and putting in appropriate access rules took another 10 minutes. Including the download, CD writing, installation and configuration, it took me 2 hours to finish it. It has been running great ever since. It never uses more than 10% CPU, and 40 MB of RAM. In addition, it stores 5 minute aggregated samples of network traffic for upto a year. Although my machine does not give me the luxury to do it, it has a web proxy with cacheing. But, I have the DHCP server running. It also has a cacheing DNS and two freeware IDSs, both of which I do not use now. It also allows unlimited IPSec VLAN clients, and a DMZ zone (if a third Ethernet card is installed) Considering all this, to me it seems that this setup is better than/equal to the PIX I had. If I get an entry level IU rack server for less than a 1000 dollars, I can have a firewall and less than 1/3rd the cost of an entry-level PIX. What is the drawback of this software, that makes PIX, Watchguard, Checkpoint etc. the major players in this domain? My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
I guess you don't really say what the system(s) is(are) behind this firewall, but why not one of the little linksys or d-link embedded firewalls?
-
I guess you don't really say what the system(s) is(are) behind this firewall, but why not one of the little linksys or d-link embedded firewalls?
I have my whole company network, which provides equities trading application service behind it now. It started as a temporary fix because I could not get the firewall replaced in time. I have not seen the linksys or dlink firewalls - so cannot comment on those, or the extent of functionality provided by them. My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
-
It is a Linux Mandrake MultiNetwork Firewall. The installation itself does the whole firewall part. It has a web interface to configure on port 8443, and will be enabled by default. When you install, you should give a valid IP address for atleast your internal ethernet interface - so that configuring is easy. Once the firewall is configured and running, port 8443 will be enabled only on your inside interface. which you access by using https://ipaddress:8443 My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
Actually, I was wondering if the firewall is treaded like an app you install overtop an existing Linux install, or does the include the whole shooting match? Mike Stanbrook mstanbrook@yahoo.com
-
Actually, I was wondering if the firewall is treaded like an app you install overtop an existing Linux install, or does the include the whole shooting match? Mike Stanbrook mstanbrook@yahoo.com
iptables is implemented at a kernel level. There was a predeccor to it called ipchains, which was implemented with user level access. You can read this to get an idea. Shorewall, the firewall app, uses iptables for everything. http://www.sns.ias.edu/~jns/security/iptables/[^] Thomas My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
-
My Cisco PIX firewall died a couple of weeks ago. To immediately solve my Internet security, I downloaded Mandrake MultiNetwork Firewall (MNF) that uses Shorewall and iptables. Installation and setup on a dual ethernet card, PII/233 with 128 MB RAM (which was lying aroung unused) took about 15 minutes. By default, it had all traffic restricted. Adding IP Masquerading (PAT) for external Internet access, adding static NATs for my servers and putting in appropriate access rules took another 10 minutes. Including the download, CD writing, installation and configuration, it took me 2 hours to finish it. It has been running great ever since. It never uses more than 10% CPU, and 40 MB of RAM. In addition, it stores 5 minute aggregated samples of network traffic for upto a year. Although my machine does not give me the luxury to do it, it has a web proxy with cacheing. But, I have the DHCP server running. It also has a cacheing DNS and two freeware IDSs, both of which I do not use now. It also allows unlimited IPSec VLAN clients, and a DMZ zone (if a third Ethernet card is installed) Considering all this, to me it seems that this setup is better than/equal to the PIX I had. If I get an entry level IU rack server for less than a 1000 dollars, I can have a firewall and less than 1/3rd the cost of an entry-level PIX. What is the drawback of this software, that makes PIX, Watchguard, Checkpoint etc. the major players in this domain? My article on a reference-counted smart pointer that supports polymorphic objects and raw pointers
I have been using a 486 DX 100 32mb Ram 400mb hdd with the Smoothwall distro for over 2 years now without major problems. Record uptime was 60 or 70 days. And it can do all that stuff as well, all neatly thru a web interface, or SSL if u prefer. All this for free. :) BTW the hardware cost me R40 ($6) :). And as a plus it does dynamic DNS registration on connection as well. MyDUMeter: a .NET DUMeter clone
-
I have been using a 486 DX 100 32mb Ram 400mb hdd with the Smoothwall distro for over 2 years now without major problems. Record uptime was 60 or 70 days. And it can do all that stuff as well, all neatly thru a web interface, or SSL if u prefer. All this for free. :) BTW the hardware cost me R40 ($6) :). And as a plus it does dynamic DNS registration on connection as well. MyDUMeter: a .NET DUMeter clone
I second SmoothWall. I've got an old 386DX 40 running SmoothWall, running smoothly! I still have to try the VPN between mine and my brother's Smoothbox... It's version 1.0 now. VictorV
