Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Firewall issue - a solution is needed!

[iCu]

Starting with 1 server, it was enough to setup a firewall on that server. It was also OK to set it up the protection on the second server... Now, the fourth server is on its way. They are all and will be Windows servers.

We dont want a firewall on each server any longer. I have heard that its possible to setup a *nix box to work like a firewall. Then all data go through that server first and gets sorted. Is this possible and how?

How do you do it?

Thanks a lot!

[Knogle]

I know this used to be possible, but the project was stopped just a couple of weeks ago. Use the search function. . . you should be able to find something.

[Knogle]

BTW, how about getting a hardware firewall? They're a bit more expensive but can handle a much higher load. They generally have a better performance rate too.

[iCu]

Its not easy to find what you search for here - its not Google

Yes, we have a hardware firewall in our plans too but how much more can it handle dataprocessing compared to a linux box also having in mind the extra costs? Is it worth it?

[stdunbar]

First, on the hardware vs. software firewall - how many more machines will you have behind the firewall? How much traffic do the machines currently process? How much traffic will they process? How freaked out are your Windows administrators going to be when they have to administer a Unix box?

A hardware firewall can be an industrial strength solution but a real one isn't cheap in terms of both initial purchase price and, depending on the experience of your staff, the maintenance. For example, do you have anybody who knows Cisco IOS? (there are plenty of providers besides Cisco - they are just one of the big ones).

Almost any PC running a Unix O/S and two NIC's can provide what you want. I personally lean towards IPF (http://coombs.anu.edu.au/~avalon/ip-filter.html) but the Linux iptables/ipchains will work too.

Basically you have a box with two NIC's in it. The Unix box has both NAT (network address translation) and filtering. The NAT portion translates a single IP address that the internet knows you as into your internal network (some non-routable network such as 192.168.1.0/24). The filtering allows you to punch through things like port 80 (www) and 25 (smtp). Just as you can control what comes into your network you can also control what goes out. If you don't want your machines making connections to any random port (generally a good thing for server type machines) you can block that too on the firewall.

The Unix box could also host email and be a DNS relay or you could have your Windows boxes do that.

[Crucial]

Almost similar to other replys but im going to post anyways, (FreeBSD)

I have a machine setup running FreeBSD with minor kernel alterations and a gateway setup. This whole process of installing FreeBSD altering kernel and setting up so nic1 forwards to nic2 takes about 20 minutes. I will recomend ipfw2 and ipf for freebsd. Outstanding firewalls.