# Secure firewall

## Keruskerfuerst

I am searching for a secure firewall for my 50MBit DSL connection.

I have a special distortion on my internet connection.

I have searched a bit and found the follwing device:

Cisco ASA 5506-X: I have found no information about configuring the firewall.

Can anyone recommend a secure firewall device or how to build one?

----------

## NeddySeagoon

Keruskerfuerst,

 *Keruskerfuerst wrote:*   

> I have a special distortion on my internet connection. 

 

Tell us more.

I use shorewall (IPv4) and shorewall6 (IPv6) on a gentoo hardened KVM as my firewall on my router.

----------

## Keruskerfuerst

Please visit the following bug:

https://bugs.gentoo.org/show_bug.cgi?id=562792

It is a special internet distortion, superimposed signal from a certain location in ..., it is ...

----------

## Syl20

 *Keruskerfuerst wrote:*   

> I am searching for a secure firewall for my 50MBit DSL connection.

 

Well, tell us more about your needs.

The bandwidth isn't a problem, as almost all the networking devices can work at least at 100Mb/s. The problem could be the number of packets by second they'll have to analyze (ex: do you use P2P apps intensively ?), the number of firewall rules you plan to put in (more there are, more cpu time required to parse them), and the "level of security" you want (Deep Packet Inscpection is more secure, but can easily overload the system, for example).

How many network devices do you want ? How many servers and workstations on your network ? Do you use VLANs ? DMZs ? VPNs ? Proxies ?

Are you comfortable with networking ? Do you prefer an easy-to-use appliance, or to go deeply on the guts of the beast ?

And, last but not least, what is your spending limit ?

The most adaptable solution is obviously a linux (Gentoo hardened...) box with netfilter/iptables.

----------

## Keruskerfuerst

Network setup:

Internet->modem->firewall->router (8 GBit ports)

Actually I use a 50MBit/s VDSL2+ connection. Maybe be upgraded to 100MBit/s.

Preferred utilization:

1. "Normal" internet surfing (webpages, shopping,...)

2. From time to time P2P, I only download programs line libreoffice or iso images

3. Internet banking (with https and security services)

4. No VPN

5. No Proxies

6. I do understand networking like ipv4, ipv6 and networking fundamentals

7. iptables or nftables rules: block all ports except: ftp, http, https, imap, pop, smtp and internet time service

I spend some time to assemble a firewall computer:

1. CPU: Intel Core i3 6300T

2. Mainboard: Asus Z170 Pro Gaming

3. 32GB DDR4-2133 HyperX modules

4. 256GB Samsung 850 Pro

5. Intel PCIe 1GBit networking card (1 GBit networking device is on board)

6.CPU cooler: Thermalright True Spirit

7. no additional graphics card

I wonder, if the internal graphics card of the processor is supported by Gentoo or any other hardend distro.

----------

## Syl20

Your computer is by far oversized. I have a self-made box too :

- Core2duo e7300,

- 4 GB DDR3, 

- 40 GB SATA HDD,

- 5 PCIe + 1 onboard 1Gb/s NICs.

~300 firewall rules (3 intranet zones, 7 physical computers), P2P, fail2ban, reverse proxy web, mail relay, DNS cache, NTP relay, and several additional little tasks, like a rsync server to redistribute the portage updates. The machine gets bored :

```
top - 15:16:07 up 3 days,  7:03,  1 user,  load average: 0,00, 0,01, 0,05

Tasks:  82 total,   1 running,  81 sleeping,   0 stopped,   0 zombie

%Cpu(s):  0,0 us,  0,2 sy,  0,0 ni, 99,2 id,  0,7 wa,  0,0 hi,  0,0 si,  0,0 st

KiB Mem :  4043160 total,  2766468 free,    87904 used,  1188788 buff/cache

KiB Swap:  2097148 total,  2097148 free,        0 used.  3904216 avail Mem
```

If you plan to manage your box by command line, no problem with Gentoo hardened and your graphic chipset. You just have to configure your kernel il you want a framebuffer console.

You should configure your router as a switch, or replace it by a switch, as the firewall is, by design, a router too.

----------

## The_Great_Sephiroth

I have a P2/433MHz box running Debian 7.8 32bit which does this for me. I use iptables for my firewall and bind9 for DNS. I use ISC-DHCP-Server for DHCP. Been working great for years now. I think it has a 4GB IDE disk in it. I access it via SSH since it only has power and Ethernet plugged into it.

----------

## fayeseom

Network security consists of the policies adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.

----------

