Results 1 to 8 of 8
  1. #1
    Join Date
    Jan 2005
    Location
    Lincs, UK
    Posts
    152

    Simple, no-frills, reliable gigabit Firewall

    Dear All,

    Can I please have suggestions for a very simple and reliable 10/100/1000 firewall (1U). My firewall rules will be very simple - deny all traffic except port 22 to one IP behind and port 80 to one IP, allow all egress.

    Many thanks,

    Alex
    Member, MySQL Guilds
    Author, "MySQL Clusterng" (Sams)

  2. #2
    Join Date
    Oct 2004
    Location
    Nevada
    Posts
    887
    IF it is that simple, ask your colo provider / upstream provider to do it in their router... some will, some wont.

  3. #3
    Join Date
    May 2004
    Location
    Blue Springs, Missouri
    Posts
    366
    or grab some nice gig-e nic's and set up obsd + pf


  4. #4
    Join Date
    Dec 2004
    Posts
    256
    why not just use ipfw/pf on the box itself?

  5. #5
    Join Date
    Jan 2005
    Location
    Lincs, UK
    Posts
    152
    Dear All,

    Many thanks for the responses so far.

    To answer the first question, my upstream provider does not do that!

    I will have software firewalls (I was thinking of APF, because it is what I am used to and I can use it with BFD at the same time) on all machines but I believe that there is a lot more security using a hardware firewall.

    Essentially, I will have about 15 servers behind this and I want to allow access for apache only to the loadbalancer IP and access for SSH to one server, a "managment" server, from which I can SSH into all other machines. The idea being that this reduces the number of targets for attackers as well as reducing the number of machines that I need to keep completly up-to-the-second from a security point of view down to one.

    Am I barking up the wrong tree here? Should I just install APF on all servers and rely on that?

    Many thanks for all your feedback so far,

    Alex
    Member, MySQL Guilds
    Author, "MySQL Clusterng" (Sams)

  6. #6
    Join Date
    Jul 2001
    Location
    Canada
    Posts
    1,284
    I will have software firewalls (I was thinking of APF, because it is what I am used to and I can use it with BFD at the same time) on all machines but I believe that there is a lot more security using a hardware firewall.
    Most hardware firewall appliances are simply stripped down pc's running special software. If your needs are that simple a 'software' solution such as netfilter/ipfw/ipf should do fine.

    Or as suggested grab a cheap1U box with GigE ports and throw OBSD on it. Hard to beat the price-performance ratio.

    The idea being that this reduces the number of targets for attackers as well as reducing the number of machines that I need to keep completly up-to-the-second from a security point of view down to one.
    Conversely it also creates a single point of failure; which is the trade off with all such configurations. It also doesn't mitigate the need to keep the servers up to date as any one of a number of exploits can pass along the http channel of port 80.

    If you absolutely require a name brand hardware appliance my choices would be in no particular order Cisco, Gnatbox, Netscreen, or Watchguard.
    "Obsolesence is just a lack of imagination."

  7. #7
    Join Date
    May 2004
    Location
    Blue Springs, Missouri
    Posts
    366
    don't know that "cheap" is the best word to use about the box you should use ...

    there are types of nic's that'll pass traffic even if the box is locked up, eliminating your single point of failure ...

  8. #8
    Join Date
    Jul 2001
    Location
    Canada
    Posts
    1,284
    True, inexpensive would be more accurate. My point was simply that such an application doesn't need a machine with a pair of xeons with 16GB or ram for example.
    Last edited by NyteOwl; 05-26-2005 at 09:12 PM.
    "Obsolesence is just a lack of imagination."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •