[DominikHoffmann]

We currently have a SonicWall SOHO3 firewall and router appliance. I am currently looking for alternatives. I am wondering what other users' experiences are with similar products. Is there a firewall out there with stateful packet inspection that doesn't have the price and complexity of a Cisco Pix? I am looking for something under $1,000.

Dominik Hoffmann

[DominikHoffmann]

Originally posted by DominikHoffmann:
Best hardware filewall appliance?

How embarrassing! Of course, most people wouldn't have a clue what a "filewall appliance" was. I corrected the mistake.

Dominik

[OreoCookie]

Why not setting up a FreeBSD/OpenBSD box yourself? Especially OpenBSD is frequently used in some of those commercial firewalls.

[Partisan01]

Originally posted by OreoCookie:
Why not setting up a FreeBSD/OpenBSD box yourself? Especially OpenBSD is frequently used in some of those commercial firewalls.

I agree, OpenBSD has a lot of capabilities that commercial firewalls also have. Lots of cool features are built into pf which is their stateful firewall. If you're looking for solid hardware to install OpenBSD onto I can recommend IBM or Sun. You can get a good used Sun Netra with a Quad Ethernet on Ebay for pretty cheap, toss OpenBSD on there and you have a very solid solution.

ndt

[ginoledesma]

The problem with most PC-based firewalls is that they can act as single points of failures -- if they malfunction for ANY reason, your network becomes unusable. There are ways of addressing this problem, but some high-end firewall "appliances" are designed to be pass-through when they fail.

[larkost]

One possible distro to look at if you are going to make your own firewall is Devil-Linux. It is CD-based (you boot off a CD, and your configurations are on a floppy... or USB thumb drive), so resetting everything is a hard-boot away and you don't have to worry about a HD. They have also been working on integrating a hearbeat, so a pair of them can operate as a gateway and near-instantly failover for each-other.

I have been using a slightly older version as a PPtP gateway and router for a half year now, and am very happy with it.

[DominikHoffmann]

Originally posted by Partisan01:
I agree, OpenBSD has a lot of capabilities that commercial firewalls also have. Lots of cool features are built into pf which is their stateful firewall. If you're looking for solid hardware to install OpenBSD onto I can recommend IBM or Sun. You can get a good used Sun Netra with a Quad Ethernet on Ebay for pretty cheap, toss OpenBSD on there and you have a very solid solution.

ndt

What about using a Mac? Can I get pf for Mac OS X, or compile it under Mac OS X? Also, how much umpf does a computer that runs a SPI firewall need? Would a 500 MHz G3 iMac suffice?

Dominik

[larkost]

In terms of speed needed, you don't usually need a lot of horsepower. My company firewall is a 400Mhz (or so) Celleron. You do want to dedicate the box to that one task though, as it looks really bad when the network crawls to a halt because someone is playing a video-game on their computer...

[OreoCookie]

Originally posted by DominikHoffmann:
What about using a Mac? Can I get pf for Mac OS X, or compile it under Mac OS X? Also, how much umpf does a computer that runs a SPI firewall need? Would a 500 MHz G3 iMac suffice?

Dominik

MacOS X uses ipfw whose home platform is FreeBSD. It is also a viable (i. e. rock-solid) solution for firewalling. Since pf has been ported to FreeBSD, I guess that that there might be a port to MacOS X, too.

Since you can use OpenBSD on many Macs (according to their hardware support list, also your iMac model), you could even use this Mac to directly install pf on it.

But probably using a 2 NIC topology is more secure. In terms of horsepower, your iMac (or a similarly equipped PC) should be plenty.