 |
 |
On Wednesday 05 March 2008 08:42:33 Eric Weston wrote: > I'm collecting opinions regarding hardware to use for a firewall. If you > are interested in weighing in on this subject, I'm interested to hear > your ideas. > > The hypothetical firewall is a purpose built OpenBSD box running OpenBSD > Packet Filter (pf), on a box that bridges the outside world to a > protected network of approximately 1000 nodes. The box needs to have a > network interface for administrative access via ssh, and two > high-throughput network interfaces to provide the "bridge" from the > protected network to the internet. > > Given this general scenario, what sort of box might you purchase and/or > assemble for this purpose? What elements would you consider critical? > (architecture, interfaces, harddrive or alternative, CPU, etc..) > > > Thanks, > Eric Weston, Libraries You might be amazed at how little system it takes for an OpenBSD firewall. I helped a friend set up a 166MHz Dell with two 100Mbit cards just as a test on a small company network. It actually did fine until we pummeled it with hordes of ping packets and multiple video streams. We then went back to a Dell with two gig cards and I haven't heard from it in the last 19 months or so. PLS & LIR have had an OpenBSD firewall since 2003 or so. John Valenti might remember just when it started. So a 2GHz Dell with 1G of ram ought to be plenty. PF systems don't swap, so you want ram. But unless you are tracking hundreds of thousands of states 1G should be enough. Get 2G (cheap!) and you'll never ever worry about ram. If you want to turn logging on to capture a packet stream of a vandal or something, you might want a big disk. 500G disks are less than $100 now at Newegg (1T are $250!). You likely want gig cards: the em driver for Intel is very good, as are the bge cards for Broadcomm, and sk(4) cards but I don't know about them personally. PF has gotten even faster with the 4.2 release. 4.3 is coming out around May 1st, which as usual has improvements. There is a new PF book out by Peter Hansteen (The Book of PF - A No-Nonsense Guide to the OpenBSD Firewall) thats pretty good. OpenBSD rocks, and is rock solid on good hardware. PF rocks too, and is *the* best packet filtering tool out there. Glad to hear of others using it! --STeve Andre' Political Science