Dedicated Linux Firewall

[legit]

Hello all,

I am wanting to set up a dedicated linux firewall (iptables, maybe with some security software like tripwire or similar) behind my router.

I was thinking of building a simple little computer for this and was wanting opinions on my idea of a build:
http://secure.newegg.com/WishList/PublicWishDetail.aspx?WishListNumber=16498987

Anything anyone can think up that would help me with this build would help, im trying to keep the cost low, but prevent adding noticeable latency to my network.

thanks

[pigeon768]

The computer has a PCI slot, but the lan card in your list is PCI-E. They're not compatible. You're a little bit hosed on finding a 2port PCI NIC, so I recommend getting a one port gigabit NIC to plug into the (presumably) gigabit switch and using the onboard 10/100 network interface to plug into your cable/DSL modem which is 100Mbit anyway. The case has a low profile slot, so make sure you get a card that includes a low profile faceplate.
http://www.newegg.com/Product/Product.aspx?Item=N82E16833106122

You could save $5 and get the 80GB drive instead of the 160GB. You'll never use 80GB unless you plan on using it as a fileserver or something.

You could also save $5 and skip the RAM heatsinks. It's 533MHz DDR2, it will never overheat.

It's a shame fit-pc no longer makes the dual-nic fit-pc 1.0 anymore. The fit-pc 2.0 has one wired nic and one wireless nic. They were perfect for dedicated firewalls.

Definitely look into setting up QoS. Google for 'linux traffic control'. The syntax for tc is kind of a pain in the ass, but well worth it in my opinion.

[NeddySeagoon]

legit,

That system is serious overkill for a firewall.
I use Smoothwall on a k6-2 500MHz with 64Mb RAM. Thats an upgrade from a Cyrix 200Mhz system which I have just scrapped.

Try it out on any old i686 system or even in a Virtual Machine. Warning: Smoothwall will take over the whole PC its installed on.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[legit]

Thanks for the input guys.

I thought i made sure the pci connection was fine, but i guess i overlooked the E. Thanks for pointing that out.

NeddySeagoon, I kind of figured the system was a bit overkill for what I wanted, but I wanted to make sure that I could add some IDS/IPS applications without getting any/too much of a slow down. Do you still think it is way overkill if I install snort and some other network monitoring stuff? Also can i still have smoothwall on a system with net-monitoring software (i've never used smoothwall so im not sure what all it provides)?

Thanks

[NeddySeagoon]

legit,

Smoothwall is a binary firewall distro derived from Red Hat. Its made deliberately difficult to add things to.
There is no toolchain. It comes with snort, QoS, assorted proxies, traffic control by port number for the protected interfaces and some limited traffic monitoring all controlled from a web interface.

You can add things to it and there is a community providing extras for it.

All it takes to try it out to see if it does what you need is a spare machine/VM and some of your time.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[legit]

Thanks NeddySeagoon! That sounds like almost exactly what i'm looking for I'll definitely check it out.

[pigeon768]

Oh, and you don't need 2GB of RAM, whether you install gentoo or smoothwall and put an IDS on it or not. You could save $30 and get a 512MB stick instead. Also consider getting a VIA system:

http://www.newegg.com/Product/Product.aspx?Item=N82E16856107055
http://www.newegg.com/Product/Product.aspx?Item=N82E16820144165
http://www.newegg.com/Product/Product.aspx?Item=N82E16822136195

It's about $30 more expensive than the barebone system you linked, (that is, assuming you got the 512 stick and the 80GB drive and cut the RAM heatsinks) but the VIA chipset uses less power. It may save you money in the long run.