Re: best distro to build iptable firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 23 Dec 2015 15:29:17 -0500
Satish Patel <satish.txt@xxxxxxxxx> wrote:

> All,
> 
> I am planning to build dedicated firewall for network and wonder which
> OS will be idle and best for dedicated firewall machine?
> 
> Its going to handle around 500mbps traffic peak.. so i need something
> solid and secure, which won't crash...

(I know this sounds like an advertisement, but Satish *did* ask. And I *am* working to integrate the just-released iptables v1.6.0.)

If you intend to filter SSL (via MITM), HTTP, HTTPS through clamav, filter URLs for 'appropriateness', and run Snort to identify incoming threats, *at 500Mb/s*, you will need at least 2GiB of fairly fast RAM and a fast quad-core CPU.

You don't need to build a dedicated firewall. Smoothwall Express v3.1 is already available:
  - i586 or x86_64
  - SMP
  - web-based UI
  - linux v3.4.110
  - iptables v1.4.21
  - ipset v6.19
  - gcc v4.7.3
  - glibc v2.18
  - binutils v.2.22
  - runs snort, clamav, squid
  - as a plain firewall, easily handles 4 NICs at constant 950Mb/s on a
    dual-core Atom N270. (clam/ids/squid filtering is a different story.)
  - improved build system makes it easy to add pkgs
  - script-based 'advanced installer' make it easy to hack and debug
    installation problems
  - hooks to make many mods 'non-invasive'

Except for a stupid mistake on my part (I introduced a memory leak when I converted iptACCOUNT to 64-bit counters), v3.1 has been very stable.

I'm presently working on v3.2 preliminaries:
  - linux v3.14.58
  - iptables v1.6.0
  - ipset v6.27
  - eudev v3.1.5
It just built and the iso/flash images assembled. It installed and booted (in a KVM) without trouble. So far, the firewall seems OK. But I do expect to encounter a few incompatibilities with iptables v1.6.0. 

We're working to overcome years of development neglect. I spent five years improving the build system, modernizing Express' 'foundation', polishing the UI a little bit, and stumbling upon and fixing many little bugs from the original v3.0; v3.1 was the result. Somewhere in there, I was appointed project leader. There is still room for improvement in the UI and in the features; this will be the main focus during 3.2's development.

Unless it's a learning exercise, if you want to save yourself a lot of time and trouble, visit us at http://community.smoothwall.org.

Neal
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux