Re: Low power mini-itx system for firewall

On Thu, 09 Aug 2007, in the Usenet newsgroup comp.security.firewalls, in article
<HMGui.56771$5j1.33472@xxxxxxxxxxxxxxxxxxxxxxxxxx>, Steve Chapel wrote:

Moe Trin wrote:

Why should you be wasting those CPU cycles on a firewall that is already
going to be busy enough trying to shift packets between gigabit NICs.

I don't plan on running a GUI. Why would I want to run a GUI on a
computer that's serving as a firewall? On my cluster's frontend node I'm
running CentOS. It's currently using 0.0% CPU and consuming 220 MB of
RAM. A fairly cheap computer can easily have 512 MB of RAM and 40 MB
hard disk, which seems plenty of resources to run CentOS.

That 386SX I'm using has 8 Megs of RAM. But the release notes for Fedora
6 and 7 state it _requires_ 128 MB for text-mode, 192 MB for GUI, and
_recommends_ 256 MB for the GUI. That's mainly because of the eye-candy
tools it's using.

Most of the servers where I'm working are cast-off workstations, with the
fancy video card replaced by a gutless SVGA card (text-only doesn't need
horsepower), and the hard drive system replaced (our work-stations are
IDE/EIDE/ATA, and our servers tend to be SCSI). Workstations tend to be
high-end boxes ("my secretary _needs_ a Quad Xeon with 4 Gigs of RAM to
handle my mail"), and such units would normally be severely oversized
for then-current server operations.

I know the "40 MB hard disk" is a typ0 (that's not enough room for the
install program, never mind the simplest install of a general purpose
distribution), and that such drives are rather rare in this age, but
there are _firewall_ distributions that don't even need that much.

My concern about the 1.5 GHz VIA C7 systems is that the CPU is only
about as fast as a 600 MHz Celeron, but the OS is not going to be
consuming CPU on its own.

A lot depends on what you are expecting your firewall to be doing.

There's the key. For a simple ("Yes/No") firewall, the bottleneck is
going to be the bus between the NICs and the other crap stealing CPU
cycles. With bus-mastering NICs, even an old Pentium I should be
adequate. If you have the firewall doing content filtering, or running
around in circles drawing pictures for some luser who should be using
their own desktop for those tasks, then the CPU becomes a lot more
important.

On our Internet connection (1.5 or 3.0 Mbps) we will be running a
stateful firewall and may be doing some content filtering.

That would _probably_ be OK, as the connection allows time to do things.

We will also need a firewall for our 802.11n wireless access point (300
Mbps). This firewall would be allowing traffic from our own laptops to
get into our internet network, and allowing guest laptops to access only
the Internet. I would think that this filtering would be inexpensive.

Should be - the WAP is doing the hard work, and all you're going to be
doing is simple routing with a Yes/No type of firewall. As an aside, we
do not allow guest computers on our networks. Period. We have a
completely separate network with systems in the cafeteria and employee
break areas so that our employees can do personal stuff. I'm using one
now to post this. On occasion, visitors have been allowed to use those
computers (which are actually owned by the employee association), but
that's not very common.

We might also want a firewall between our remotely accessible systems,
such as our email and web servers, and our internal network. Both of
these networks will be gigabit Ethernet. This is where I'm not sure the
1.5 GHz VIA C7 will be fast enough.

A lot depends on the paranoia of the setup. In our case, the only access
to the DMZ _from_ the internal LAN is administrative, and limited to a
few systems. Access _to_ the DMZ is similarly limited. The public mail
server can only be accessed by the internal mail servers. All other
connections are blocked. Systems in the DMZ can not initiate connections
to the internal networks. The web server in the DMZ is for external use,
and thus traffic between it and the administrative box inside is
relatively light. (The web servers used internally have no need for
external access. Internal use of external web servers is through a
proxy.)

Old guy
.

Relevant Pages

  • Re: Is this a wise configuration?
    ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
    (comp.os.linux.networking)
  • [fw-wiz] Static NAT not answering
    ... Set up static-nat rule for my web, DNS, Mail servers ... Before, there's no firewall in our company, each ... The static-nat could not work (the external cannot ... cannot access the internet) if we are using ...
    (Firewall-Wizards)
  • Re: DCPROMO FAILED
    ... What on the firewall could stop the root servers from accessing the ... prevent internal servers from recursing the Internet. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Device/Firewall for SOHO in AD 2003 Env
    ... > firewall function is usually just a port blocker - nothing too advanced ... >> We have three servers with its own web contents available on the ... >> Internet. ... >> I want a firewall device to block everything except the web sites ...
    (microsoft.public.windows.server.active_directory)
  • Re: Device/Firewall for SOHO in AD 2003 Env
    ... > firewall function is usually just a port blocker - nothing too advanced ... >> We have three servers with its own web contents available on the ... >> Internet. ... >> I want a firewall device to block everything except the web sites ...
    (microsoft.public.backoffice.smallbiz2000)