# Gentoo firewall or Hardware firewall?

## Ragnar

Why should I use a Gentoo firewall?

The Hardware firewall is easier to setup, and cheaper...

----------

## klieber

 *Ragnar wrote:*   

> Why should I use a Gentoo firewall?
> 
> The Hardware firewall is easier to setup, and cheaper...

 

I currently run a gentoo firewall.  Previously, I ran a Linksys firewall.  The reason I changed was mainly because of the flexibility offered by the gentoo firewall -- I can set up anything I want on the box, including a dhcp server, FreeSWAN, etc.  Additionally, I have a great deal more flexibility in directing and shaping traffic.  

And no, the hardware firewall is not cheaper.  Just about any flea market or used computer store will sell you a 486 computer for ~$20.  That's all you need.

--kurt

----------

## ronmon

Yep, I too have a dedicated Gentoo firewall box. Shorewall is what I use to control it.

My eth0 connects to the internet and eth1 and wlan0 (hostap mode) are bridged to one internal subnet, which simplifies my setup. The fw box runs headless and handles DHCP, DNS, NTP, IPSec and FreeSWAN. I ssh in to administer it, just did an 'emerge -u world' this morning  :Wink: 

You would be hard pressed to get an 'out of the box' router with that level of security and flexibility for anywhere near the same amount of money. But of course buying one and plugging it in would be a lot easier.

----------

## Ragnar

The how do I make a gentoo firewall that fits on a 500 mb hdd?

I have tried, it all take's about 1000 mb....

----------

## klieber

 *Ragnar wrote:*   

> The how do I make a gentoo firewall that fits on a 500 mb hdd?

 

There are a few different ways -- most have been discussed in the archives or on the mailing lists.  Basically, you install a gentoo system into a chrooted partition on another computer and then copy it over to the firewall computer.

Alternately, you can use a lighter-weight distro -- no one is saying Gentoo is the be-all, end-all Linux solution for everything.

--kurt

----------

## Ragnar

hmmm

I don't want to change distro.....

I don't have time to lern a new distro....

Then what parts of Gentoo Linux are not need'ed to have it running?

----------

## pjp

gentoo firewall box advise and help with proxy server/firewall. might be a good starting point.

----------

## rizzo

Then you don't need gentoo really.  But look at LEAF.  It's a firewall on a floppy.  You don't even need a hard drive.  I recommend the Bering release.  Uses Linux 2.4 kernel and iptables.

For Bering they recommend a pentium or higher, but with any resources you could buy Pentium 200s for $10 nowadays.

----------

## elzbal

Also check out OpenBSD. It has some *very* powerful stateful firewall features, including transparent firewalling and mongering of initial packet numbers to prevent OS detection.

http://www.openbsd.org/

http://ezine.daemonnews.org/200207/transpfobsd.html

http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html

http://www.onlamp.com/pub/ct/58

(Ignore the '1GB' requirement in the first article... you can get it on much smaller boxes than that for a pure firewall. Mine is using only 170MB of disk space and 18MB RAM, and it can probably go even smaller.)

----------

## bluesky

Does a firewall box need to run smoothly,  less noise  if you run at home and does not break down suddenly?  I looked at a few available at E-Bay priced from 80 -180 including shipping.    :Very Happy: 

----------

## ronmon

An old, slow computer can make a great firewall/router for cheap and some of them can even run fanless. But yeah, you want it to be reliable. A floppy or CDROM based firewall distro can even negate the need for a HDD which is a pretty good source of heat and noise. And keep in mind that a 500MB HDD is pretty darned old, how much longer can you expect it to run?

None of this was an issue for me since my main box is a SMP monster with 9 (yes, nine) fans that drown out just about everything else anywhere near it. Also, hostap_pci requires a PCI 2.2 compliant motherboard so I needed fairly current hardware. Mine is a Celeron 566 (oc'd to 850 :) ) box that I picked up cheap on the AnandTech forum. Unable to find a CDROM firewall distro with hostap support, I went the Gentoo/Shorewall route. Still, the total cost of hardware, including the computer, NICs and 802.11b card was under $200.

The cheapest AP/LAN  gateway/routers I have seen that are any good start around $120 and the only "security" they offer is WEP. LAN only start around $40-$50. Either way you compare them, as long as you consider the level of security, a Linux router kicks their butts.

JMHO

----------

## Ragnar

I can't get any old computers.....

So I have started to use Celeron 1.7, 20 GB hdd and 128 MB ram computers...

----------

## ronmon

You shouldn't have any trouble building Gentoo on that :)

----------

## Ragnar

No but that's overkill....

That is the cheapest slowes's computer I could get.  :Rolling Eyes: 

----------

## elzbal

A pentium 90 is overkill (for a pair of T1s or less).

Your celeron is VERY overkill.

I'd give you a P90 free if only out of pity for your poor unused celeron...  :Smile: 

----------

