Opinions/experiences with OSes for hardware firewalls?

[Fraoch]

Hello:

I'd like to build a DIY hardware firewall. It's for fun and for learning but also to improve the security of my home network. I have some degree of expertise and I'm familiar with Linux and a little bit of FreeBSD.

I would like the firewall to have logging, IP/domain blacklisting, intrusion detection, ad blocking and malware detection. I'd like FOSS and I do not want to pay a yearly subscription fee.

I've been looking at several pieces of software to run on the hardware. I've tried them all in a VM:

• pfSense. A nice complement to my new FreeNAS NAS, now that I'm learning FreeBSD. However it's more of a router than a firewall, and as you see in my signature, I have my router needs covered nicely.
• Untangle. The current front runner. However it seems overly simple and there doesn't seem to be many settings to alter in the free version, it's either turn it on or turn it off, there doesn't seem to be much control.
• IPCop. Seems a little too simple. I can devote some powerful hardware to it, this seems like a waste.
• IPFire. Better than IPCop, but it could still do with a few more features.

I used ClarkConnect a long time ago, but that's evolved into "ClearOS" which is more of a gateway and server than a firewall.

Are there any that I've missed? Does anyone have any experience with these? Which one would you recommend, and why?

Thank you!

 

[Nullity]

I have used all of those except Untangle. My choice is pfSense because of the good documentation, like the recently (mostly) finished, official pfSense book. I also think FreeBSD is the better choice for a server, compared to Linux, because the base system is developed as a whole, unlike Linux.

The last time I used IPFire it had tons of extra addons via Pakfire.

You probably couldn't go wrong with any of these operating systems.

 

[Fraoch]

Thanks! I forgot it in my above list, but I'm also trying Smoothwall, which again seems a little too simple.

 

[Fraoch]

I just found Sophos UTM. I don't know why I didn't think of this before, it's very well-known.

I'm trying to see if I can evaluate it in a VM. I'm not sure, it comes with a single-use license.

 

[System Error Message]

just took a look at pfsense, It has a lot of similar features to ubiquiti and routerOS but routerOS has L2 to L7 firewall and a lot more options

Still i'll try scavange something to install pfsense on it for the purpose of using it for squid and some additional stuff.

RouterOS will run in a VM or x86 but it only runs for 1 day free (demo license).

The only thing you cant do with routerOS and ubiquiti are installing additional programs like a standard linux server and none of their proxies match up to squid.

Although not yet around if you could get the pfsense source and compile it for TILE CPUs you could run it on the new TILE servers that come with a lot of hardware and ports with a mixture of gigabit and 10Gbe ports. TILE tries to automatically do multi threading both on hardware and compiler. As a firewall and router TILE is a lot faster than x86. There are also PCIe cards with TILE CPUs, ram and flash that have 10Gbe interfaces.

 

[AdvHomeServer]

I'm thinking about building a home brew router / firewall with pfsense on a zotac zbox later this year. I had never heard of these other programs. I have no experience with pfsense so this would be a big project for me. In my mind, documentation is important along with cost, with free being best. Are the others very popular, or are they niche products compared to pfsense?

I also have an Edgeroute lite, but it's on the shelf. The gui was too limited and I gave up on Vyatta. pfsense might begin development on a version for an edgerouter lite later this year.

edit a couple hours later: http://ftp.het.net/iso/vyatta/vc6.3/docs/

The edgerouter cli provides the ability to build an impressive firewall if you can get through the vyatta. I couldn't. Here's some documentation in case you want to keep it all in one device and you're better at it than I was. Hope you like to read.

 

[System Error Message]

You might want to try pfsense in a VM first until it starts working for edgerouters. Its a good thing i went for a mikrotik CCR instead of an edgerouter pro. Im going to build one too as i have extra CPUs, ram and hard drives laying around, would just need the case, PSU and motherboard. Going to see if i can build an inexpensive small one or maybe a rackmounted one.

There are also youtube videos on pfsense and i am quite impressed on the amount of tutorials, documentations and videos on it that i could easily see what it is capable of unlike with ubiquiti which has no demo.

 

[AdvHomeServer]

http://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions

I found this list this morning. Apparently, the software firewall / router is fairly common. Some are more popular than others. Heck of a list.

 

[AdvHomeServer]

You might want to try pfsense in a VM first until it starts working for edgerouters. Its a good thing i went for a mikrotik CCR instead of an edgerouter pro. Im going to build one too as i have extra CPUs, ram and hard drives laying around, would just need the case, PSU and motherboard. Going to see if i can build an inexpensive small one or maybe a rackmounted one.

There are also youtube videos on pfsense and i am quite impressed on the amount of tutorials, documentations and videos on it that i could easily see what it is capable of unlike with ubiquiti which has no demo.

Thanks. As I wrote in the related thread, I will try pfsense in a bootable flash drive when the project bubbles to the top of my list. This will allow me to run it on any pc with a usb port, at least for experimentation. I will still need multiple network jacks to actually use it. Maybe there's a USB dual WAN attachment available somewhere. (nope: pc network jack = WAN in, usb to rj45 adapter = LAN out)

 

[System Error Message]

You might want usb3 gigabit network adapters. USB2 can only handle less than a quarter of the bandwidth.

Alternatively you can get intel quad port NICs too which may end up being cheaper or more expansive depending on the availability of 2nd hand ones. Or you can get both. Since im using rackmount i could get 2 intel quad port server nics, 4 usb3 NICs giving a total of 14 ports assuming the usb3 driver works with pfsense. Its only a matter of the hardware having a driver for BSD. The motherboard im getting can fit 4 NIC cards (SLI/CF board) but the limitation is with the 1U expansion capabilities unless i want to run cables through available holes inside and use PCIe extenders.

Having PCIe x16 slots would let me use 10Gb/s cards in the future.

 

[wbond]

I don't think you'd be disappointed with pfsense. If you want to tinker there are plenty of configuration options as well as packages to extend the functionality, such as IDS/IPS. The pfsense forums are very active, so it's easy to get help if you need it.

It will run on low end hardware so you can try it out on spare hardware you may have sitting around. Since you have a managed switch you could use it on a machine with a single Ethernet card and use VLANs for multiple interfaces.

I ended up buying a dual core (4 thread) 1.86GHz Atom box on Newegg for about $130, added 4 gigs of ram and the smallest capacity 2.5' hard drive I could find. This machine is more than enough for our home lan. CPU usage averages about %3 and memory usage about %20 with 3 snort instances running. It's very stable as well, will run for months without a reboot. I've only had to reboot when upgrading, or reconfiguring the hardware.

 

[System Error Message]

if thats the case than my quad core xeon server would be really fast for it if i could get it running. Have you tried caching yet? Sometimes you would want to cache to get websites to load instantly instead of reducing bandwidth. I have multiple interfaces but i want to add SMB to it through the difficult way and bond the physical interfaces. Its good to know pfsense gives me similar options that mikrotik offers although it still doesnt have configurable L2 firewall.

 

[YeOldeStonecat]

I used to build/test drive tons of firewall distros years ago...sort of like a hobby. Almost on a monthly basis I'd try some new distro I'd found.

Which one is best for you depends on what you're looking for, what your needs are.

Some are lean and mean, super fast, excellent QoS features...PFSense comes to mind here. But it's not really a UTM (Unified Threat Management...meaning strong in security and anti malware features, etc). Yeah you can add some plugins...but they're still not really strong in protection. But it's one hell of a very fast product...great for online gamers.

m0n0wall, Smoothwall, Zeroshell, IPFire, GnatBox, IPCop...they're more bare bones....not so much a UTM. However there is an add-on for IPCop called Copfilter...which adds some basic UTM functionality.

Full UTM appliances give you more security, stronger in anti-malware duties (antivirus and antimalware scanning done at the gateway level, phish protection, etc)...Endian, Gibralter, Astaro (now Sophos), ClearOS (although this combines some server stuff too), and my favorite...Untangle. Endian is also darned good.

You don't need a lot of horsepower....especially for a home user, dual core Atoms give you plenty more than you need. Don't need to step up to full desktop or server CPUs unless you're a large business and have tons of SMTP scanning going on.

 

[System Error Message]

While you may say that specs for a home user or single user like myself i do run my own GPGPU cluster for software development and i do expect to see really high utilisations and i grab as fast internet as i can thats available where i am. I also configure things to make sure it is secure too. The amount of bots or hack attempts i get is simply massive. I have my firewall in routerOS identify internal and external ip addresses and to blacklist every ip that attempts to hack or communicate in an invalid way. So i see myself more as an enterprise user rather than a home user.

In my own network any devices that connects to it gets logged by my router (requires L2 firewall) even if it doesnt communicate. Its also a handy way to get an ip address of a device that im trying to configure too. Adding pfsense would be for caching, anti malware, snort, more firewall and i am planning to live in a place with 1Gb/s of internet in the future so having all that CPU available would be helpful. The reason for choosing pfsense isnt really for its speed but for its features and that i can still integrate openBSD programs into it. With the features i plan to use i would want it to work at wirespeed and i may use 10Gbe ports in the future. I might even combine the pfsense server with a 72 core TILE PCIe network card that also runs its own linux firewall too. Where there is skill i dont think having all that available resources would be overkill.

 

[YeOldeStonecat]

It's the NICs that count for most of the speed, not so much the CPU. Use good Intel NICs and things move quickly. Use more "win-NICs" like realsucks or broadcoms or those horrible Atheros...and throughput suffers.

Anti-malware and PFSense don't go in the same sentence..it's not a UTM....clam is almost sort of OK for mail scanning...almost...but useless as a nice rack on a nun for web based threats of today, and phishing).

It's when you get full proper UTM packages like Untangle or Endian and run heavy mail filtering on it (like thousands of e-mails per day), where you'll need heavy CPU to keep up the throughput. I'm sitting at my biggest business clients network right now after installing 2x new edge appliances running Untangle, I replaced a single quad core Xeon appliance with a pair of dual core Intel NG-100 appliances...and they still barely nudge above idle on this ~100 user network with remote VPN and terminal servers and 100/50 pipe and mail servers. Dual appliances for failover...not both at once, but second one is a hot spare.

Nothing wrong with putting in high horsepower, I used to love getting the biggest servers to run stuff at home....just trying to save you some money if you thought you needed tons of power for a basic firewall at the edge. It's not always the initial cost of the hardware, rather the longer term costs in money spent on the electric bill...plus the noise.

 

[System Error Message]

well i had the hardware just laying around and it is a lower voltage xeon.

The thing about throughput is not just the firewall but also caching and being able to deliver multi gigabit throughput. Cheap used quad port intel server NICs are getting harder to find. If untangle uses openBSD i could try integrating some things from it. I dont need mail filtering though.

in general broadcom, marvell and atheros make good NICs too but all have different strengths and weaknesses. Marvell chips use less CPU than intel but have higher latencies. realtek has a low latency but uses more CPU. Its a similar thing with soundcards too especially when it comes to 24 bit 96Khz 8 channel audio. I already have a router and firewall with 28Gb/s (wirespeed) of throughput even with lots of firewall rules but it doesnt have anti malware and caching that pfsense provides so my pfsense server would need to keep up with my router.

 

[randing]

I'm curious if anyone has any experience with SimpleWall. I own an EdgeRouter Lite, I tried Sophos UTM for a minute, and I'm currently using pfSense, but SimpleWall looks a lot more streamlined. Haven't tried it myself yet and there doesn't seem to be any information about it on the net.

 

[YeOldeStonecat]

I'm curious if anyone has any experience with SimpleWall. I own an EdgeRouter Lite, I tried Sophos UTM for a minute, and I'm currently using pfSense, but SimpleWall looks a lot more streamlined. Haven't tried it myself yet and there doesn't seem to be any information about it on the net.

Odd you mention it...I just came here to post a link to this rather new distro. I built a unit yesterday at the office for a test, installed it on a small form factor Lenovo ThinkCentre mini desktop, core 2 duo, 2 gigs rammage.

http://www.simplewallsoftware.com/

I'd say it's similar to Endian...or what ClearOS has except for the server parts, or maybe Astaro/Sophos. Different than Untangle. Still going to play with it more. So little out there about it, and with the paid for product being only 95 bucks a year...curious how long they'll be around.

 

[tizigman]

Are you still using simplewall?
I was thinking of using as a replacement for my current utm.

 

[YeOldeStonecat]

Are you still using simplewall?
I was thinking of using as a replacement for my current utm.

I played with it for a week....enough to get a feel for it.
For a new product, seemed pretty good. With such a pricing model, curious how long they'll be around.....
We're long time Untangle resellers and have many clients on that product, so our commitment is there as far as what we're building and selling to our clients.