To deal with bursts you should always us a 64 bit version of linux for a firewall. Also the last firewalls I built were RHEL 6 with contrack tools added for clustering. It's a little behind but not far off. You will also want the HA add on. CentOS or Scientific linux would work as an option too. Fedoras a little more up to date but not as stable. Do not use distros like Ubuntu because their focus is more for the desktop market and will install many things you don't need which weakens the security of your firewall. Also if you do use RHEL do the install from a kickstart and do a nobase install so you only get the bare minimum OS. That said smoothwall is not a bad choice but it's a bit inflexible in some ways. Also I wouldn't use an ATOM processor for an number of reasons mostly because it would have issues with handling microbursts. That said a cheap $500 dollar desktop ( including the three year warranty) will do especially if you add in an Intel Quad card. On Wed, 23 Dec 2015 15:29:17 -0500 Satish Patel <satish.txt@xxxxxxxxx> wrote: > All, > > I am planning to build dedicated firewall for network and wonder which > OS will be idle and best for dedicated firewall machine? > > Its going to handle around 500mbps traffic peak.. so i need something > solid and secure, which won't crash... (I know this sounds like an advertisement, but Satish *did* ask. And I *am* working to integrate the just-released iptables v1.6.0.) If you intend to filter SSL (via MITM), HTTP, HTTPS through clamav, filter URLs for 'appropriateness', and run Snort to identify incoming threats, *at 500Mb/s*, you will need at least 2GiB of fairly fast RAM and a fast quad-core CPU. You don't need to build a dedicated firewall. Smoothwall Express v3.1 is already available: - i586 or x86_64 - SMP - web-based UI - linux v3.4.110 - iptables v1.4.21 - ipset v6.19 - gcc v4.7.3 - glibc v2.18 - binutils v.2.22 - runs snort, clamav, squid - as a plain firewall, easily handles 4 NICs at constant 950Mb/s on a dual-core Atom N270. (clam/ids/squid filtering is a different story.) - improved build system makes it easy to add pkgs - script-based 'advanced installer' make it easy to hack and debug installation problems - hooks to make many mods 'non-invasive' Except for a stupid mistake on my part (I introduced a memory leak when I converted iptACCOUNT to 64-bit counters), v3.1 has been very stable. I'm presently working on v3.2 preliminaries: - linux v3.14.58 - iptables v1.6.0 - ipset v6.27 - eudev v3.1.5 It just built and the iso/flash images assembled. It installed and booted (in a KVM) without trouble. So far, the firewall seems OK. But I do expect to encounter a few incompatibilities with iptables v1.6.0. We're working to overcome years of development neglect. I spent five years improving the build system, modernizing Express' 'foundation', polishing the UI a little bit, and stumbling upon and fixing many little bugs from the original v3.0; v3.1 was the result. Somewhere in there, I was appointed project leader. There is still room for improvement in the UI and in the features; this will be the main focus during 3.2's development. Unless it's a learning exercise, if you want to save yourself a lot of time and trouble, visit us at http://community.smoothwall.org. Neal -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
