|
[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[NMLUG] Hardware firewall recommendations?
Sarang:
I prefer the Dlink route firewalls. There are several levels of
firewall that you can opt for. The newest ones are pretty cool. I
am running the DL808HV (http://www.dlink.com/products/?pid=273) at my
house. It is an 8 port unit with VPN capabilities. I have two
actual firewall units that I am not using and would be willing to sell
one of them. They are the the DFL-300
(http://support.dlink.com/products/view.asp?productid=DFL%2D300#)
units. These have been discontinued as of last October. I bought
them about a year ago for some work I was doing (on a contract basis)
for a local small business. I ended up not using them for that job,
and got only partial payment on them.
Anyway, these are still on the market, but for a lot less than what I
paid. If you (or anyone else) would like to buy one of them, I'd let
them go for $40.00 each. Just write me off group if you are interested.
One reason that I like DLink is that they have been very dependable for
me, over the years, and they usually have some level of support for
Linux.
I have been using these dedicated IP sharing, route, firewall, switches
for about 10 years, both at home and for small business that I contract
for. I bought my first one as an experiment. I had a linux box set
aside for use as an IP sharing, firewall. I was at some computer
store and saw one of these units for $99.00. I had set aside a
weekend, just for setting up the linux box and on a lark bought the
"gateway, route, firewall" unit instead. In 10 minutes I had every
computer in my house on the net. I never used a linux box for that
again. It's just too simple and cheap to setup with these dedicated units.
I'll go through the list below and address your needs point, by point...
Sarang Gupta wrote:
>Does anyone have recommendations for a simple, 2+ port, inexpensive,
>home-use hardware firewall/router? Specifics:
>
>% The firewall/router would sit behind my cable modem, accept a public IP
>address (via DHCP) from the cable modem, and pass on NAT'd IP addresses to
>two machines, so that both machines could access the Internet via a single
>cable modem.
>
>
They all do this.
>% I don't run servers at home, so all incoming packets should be replies
>to packets I've sent out-- all "unsolicited" packets should be dropped.
>
>
>
They all do this too, but you may need to setup custom filters to get
exactly what you want.
>% The firewall/router should log the time, IP address, and port of all
>outgoing packets (ideally w/ exceptions for a set of "trusted" IP
>address/port combinations I specify), ideally storing these on its own
>hard drive. This log should include UDP, IPX, and other non-TCP packets.
>I'm particularly curious to see what packets are being sent when I'm away
>from the computer (I run cron jobs, continuous ssh sessions, realize that
>browsers will reload pages w/ "refresh" set, etc, so this traffic won't be
>zero-- but any unrecognized packets when I'm not at the computer will be
>highly suspicious)
>
>
>
They don't all do this. Most will keep logs. Some will even email you
when suspicious traffic is detected.
>% The firewall/router should ideally be configurable only via a hardwired
>connection (eg, COM port using minicom). Less ideally, machines on the
>inside should be able to configure the firewall/router. Configuration from
>outside (even w/ a password) should not be allowed.
>
>
Very few of them do this. Most have an http interface. All of them
allow you to choose whether to expose configuration to the outside. (I
never do allow that either.)
>% The firewall/router should block (or, ideally, redirect) packets to
>certain IP address/port combinations I specify.
>
>
>
OK, do you mean port forwarding? They all do that too, but you have
to specify each port that you want forwarded, and there are usually
limits as to how many they can handle. So, if you are playing games on
line, or file sharing, then you would need to configure your app so that
it accepted a certain port, then configure your firewall to forward that
port to the correct IP address. This is generally considered to be
"poking holes" in your firewall. It's usually pretty safe, but you
have to be careful.
I realize that you say in the next paragraph that you don't want port
forwarding, but it sounds like the above paragraph says that you do.
>% I looked briefly at AlphaShield (alphashield.com). It's a bit too "black
>box"y, I don't trust it's "artificial intelligence", it doesn't seem to do
>any logging, and they don't have a good technical explanation of how their
>device works (you have to register just to get a white paper!). However,
>this is close to what I'm looking for -- a simple firewall (no VPN, no
>tunneling, no DMZ, no opening specific ports, no multiple routes, etc)
>for computers connected to the Internet as "clients". IE, what I need is
>something much closer to an AlphaShield than to a PIX.
>
>
>
They all have this stuff and they all allow you to turn it off.
>% I realize that Linux itself can do a lot of firewalling, and that I
>could use IP masquerading to connect multiple machines to a single cable
>modem connection. I even feel a bit rube-ish considering a hardware
>firewall. However, if my Linux box has been compromised, using it as a
>firewall would be a false sense of security. I'd rather have a clean,
>single-purpose, harder-to-crack device monitor and block packets.
>
>
>
Look, if you decided that you wanted your two hosts to be in the
internet and that you wanted linux to be your firewall, you should
consider getting a 3rd PC, loading up linux, compiling everything that
you don't want out of the kernel, and running a dedicated, stripped
down, linux firewall, gateway, route. The gateway, firewall, route
units are much easier to configure and use, and much cheaper. I think
that you are on the right track here.
Good luck,
Craig
|
|
