14 replies to this topic

[Retro-Starr]

I'd like to know which do you guys think is better in terms of simplicity and configuration for setting up a firewall.
I know of SmoothWall and m0n0wall, but I don't know the difference bewteen them.
I know some people might like one more than the other, but please explain to me why you like it so much more.
I am looking into entering into the security world and setting up a firewall seems like a good place to start, will be starting on my home network.

I was told if I want to get a job really I'd be working with linux distro more, but I think it couldn't be that bad if I could do bsd too.
Thank you.

Edited by Retro-Starr, 21 May 2009 - 07:30 PM.

[Ohm]

I'd use OpenBSD for this. Two big reasons.

• It's as secure as you can expect from an OS by default. No services to turn off. No configs to tweak.
• The PF firewall is quite easy to configure. I don't know if there's a GUI or web interface, but it's easy to configure by hand, so it's not really necessary.

[Retro-Starr]

Thanks for replying so fast.
Since your a BSD guy, what's the real main difference between iptables and ipfilters?

[mirrorshades]

I like pfSense, which is based on FreeBSD: http://en.wikipedia.org/wiki/Pfsense

[Retro-Starr]

Thanks you guys. I guess this isn't really a hot topic, thought it would have been. I have to ask, mirrorshades, why do you like pfsense?

[mirrorshades]

No one specific thing... just overall I like most of what it offers. It's a bit more configurable than IPCop / Smoothwall, so it assumes you know what you're doing.

[Retro-Starr]

I like configurable. Would it be possible to run something like FreeNAS along side it? My thinking is that pfSense and freeNAS are both FreeBSD based so install pfSense then setup a file server and other services that would make it a NAS, or would that be too much?

[mirrorshades]

Not sure what you mean by "along side"... I have both pfSense and FreeNAS running on my network. They do different things; pfSense is my Internet gateway, FreeNAS is my backup server. No real direct relationship between the two.

But to answer your question... sure, it's your network, you can do whatever you like!

[Retro-Starr]

I was thinking of like running both at the same time, but now I am rethinking it. Both FreeNAS and pfSense want to use the entire HDD, so would it be advised to make them both VM's and have them running all the time on a dedicated machine? My real aim is to make a really kick ass home server that does everything one might need: VPN/proxy, streaming music/video, firewall, NAS. Would it be practical to run all these on their own VM's and have a dedicated machine hooked up to ethernet?

[Ohm]

There's no reason to run both of those at the same time. The whole point of doing FreeNAS or pfSense is that you install these operating systems and you have a working appliance with very little configuration. It would be easier to install one of these (or another operating system) and install and configure software to do both of these actions. It's not very difficult to install Linux or FreeBSD or OpenBSD and configure a firewall and Samba.

Though, if you really wanted to do that, both FreeNAS and pfSense seem to offer VMWare images. Depending on how fast the machine is (and how much memory it has), this could work. It's taking the long way around if you ask me though.

[mirrorshades]

would it be advised to make them both VM's and have them running all the time on a dedicated machine? My real aim is to make a really kick ass home server that does everything one might need: VPN/proxy, streaming music/video, firewall, NAS. Would it be practical to run all these on their own VM's and have a dedicated machine hooked up to ethernet?

pfSense is designed to be a router/gateway... so putting it on a VM would be kind of an odd setup. Not to say it couldn't be done, but you could probably get lost quite easily in the configuration. (It would be good practice for the setup and tweaking stuff, though, if you want to practice a bit.)

If you're thinking of it like a desktop/software firewall (ZoneAlarm, BlackICE, that kind of thing), then you're not quite right. Think of it more like a router, or the thing that hooks up the Internet to the rest of your network.

I once tried to set up a Smoothwall virtual machine to act as the host computer's firewall -- in other words, set it so that all the inbound network traffic went to the VM first, then "passed through" to the host itself. Didn't work, though... it got bogged down in some sort of weird recursive networking stuff like holding two mirrors up to each other. :)


Regarding FreeNAS, you could have that as a VM, but you would likely experience degraded performance (especially if you had a lot of disk I/O). Really, these applications are designed to run exclusively on one physical box... the trick is, it doesn't have to be a super-massive-high-end-ninja-megacomputer. I put pfSense on an old Pentium III laptop with a dead screen, and it works like a champ. Likewise, I have FreeNAS running on an even older Pentium III desktop (with added hard drives), and it's fine.

[eth0s]

This may be similar to what you're trying to accomplish... You can do it by using the host to just be a host for the VMs and run a small firewall/gateway alongside your giant NAS-monster.

I built a headless toy box for kinda the same purpose except mines to play with VMs for learning. I got the cheapest low-power stuff I could find a stuffed it into a portable-ish case along with an old used 80GB HDD. Put 9.04 server 64bit on it and installed VirtualBox 2.2 64-bit.

Here's the crap I purchased:
Celeron 430, 4GB RAM, MicroATX Mobo, Case with a handle, Wireless-N card.

So I have tried 3 firewall VMs so far: Smoothwall, IPCOP and pfSense. I can turn them off and on at will using VBoxManage and VBoxHeadless at the CLI. I actually wrote little scripts to type long commands for me cause I'm lazy. Anyways I use the wireless as the RED interface (bridged) and the onboard ethernet as the GREEN interface (bridged). I have the host associate with a "public wireless AP" but don't assign it an IP address. I let the firewall distro boot up and get it's DHCP address from the net so I only have one visible IP and my host isn't so vulnerable. So then my green interface plugs into my wireless router LAN port and serves up internet to my whole house.

Note this machine doesn't have any human interface, I log into SSH through the network. Initial configuration of VMs at the CLI can be a pain with VBoxManage so I installed xserver and use 'ssh -X user@ipaddress VirtualBox' which will send me the virtualbox GUI remotely. I use it to install a VM too but then I shut it down and start it with VBoxHeadless so that I can TS-Client in on the RDP port I assigned the VM. This way I can also exit out of the SSH console.

I also have a JeOS LAMP server and a Server2008 all packed in there with room to spare.

I have been working on a way to get the VM firewall to act as the gateway for the host like mirrorshades said but came up with the same results. I'm sure there has to be a way, I just haven't found it yet.

[Retro-Starr]

I liked what Ohm said, the only reason I suggested VMs is because these distros were specifically ment to do one job and everything seems to want to take my entire drive to do the simplest of things (i.e. FreeNAS though you can install on HDD and have storage too). I remember hak5 mentioning that they have their site hosting as a VM, but I don't know how they do it.

[eth0s]

Bro, FreeNAS has a firewall built-in, as I have just discovered. You're all set, IMO. Besides, if you're behind a router you're also protected as long as it's not forwarding ports. That's a firewall.

[Retro-Starr]

Sweet find! I really want a really cool server that I can use as a proxy/vpn/ssh into/stream music and video/(if ever, might just play with) pbx/NAS. So it kinda looks like I install FreeNAS then install all the right software to make everything happen.