What is Digg?Sponsored by Travelzoo
$45 & up: Huge Hotel Sale view!
travelzoo.com - Great discounts on rooms for the holidays and beyond!
24 Comments
- akinbanjo, on 10/12/2007, -0/+5I'm sure this tutorial is about more than building a bargain (or not) firewall. It's for people who want to learn how things work.
- hoofarted, on 10/12/2007, -5/+10Do not be misguided into believing that this is an effective use of your time. I have worked in the IT industry for a very long time and there have always been people who say things like, "Use your old 486 PCs to run Linux as a firewall...", etc, and I am not convinced that this is the best thing to do.
The main reason is that old computers are not as power efficient as new computer and once you have had this baby up and running for a year or two, you would have spent as much in power as it would have taken to buy a dedicated hardware device. If you are a home user or a small business that has 10 - 40 users or so, a cheap $100 device would do and any business with 50 users and more would usually have turn-overs great enough to buy a more expensive, dedicated device.
Another reason not to build your own, in this way, is that if you remuneration rate is £20 per hour, by the time you have got this up and running 100%, it would have cost you 16 hours, at least, so you can add an additional cost of £320 onto the cost of the device.
Just go out and buy something that does the job and get over it. Your time is more valuable then you think. - spikes, on 10/12/2007, -0/+5Heres my personal script I been working at off and on the last few years.
http://spykes.net/?p=firewall - giid, on 10/12/2007, -0/+3Maybe I'm missing something, buy why allow UDP packets on port 80 for say a web server? From my experience, only TCP is needed for most daemons--including, but not limited to ssh, telnet, ftp, smtp, pop3, imap.
UDP really should only be needed if you're running a dns server (port 53), or maybe a teamspeak or other gaming "real time" type server. Maybe LDAP, VPN, etc might need UDP as well, but I don't know enough about those, since I've never used em. - JQP123, on 10/12/2007, -0/+3"Headless workstation with low power CPU, can even use something like VIA running on a 12v supply with a fanless CPU, VERY low power footprint."
Most off-the-shelf routers are essentially what you describe, a computer with low power, fanless CPU --- often ARM based, often running Linux. Unless you just happen to have something like this lying around unused, it's usually cheaper to buy rather than build thanks to the wonders of mass production and free enterprise. - JQP123, on 10/12/2007, -1/+3"It all depends, you can get nice compact computers from soekris.com."
An off-the-shelf router with built-in firewall is still more cost effective in many cases, especially if you value your time. There are reasons for rolling your own but time and money are not among them. - inactive, on 10/12/2007, -1/+3Man what a detailed guide. I'll bookmark it in case I should ever need it, but I doubt I'll bother reading something so large. Digg, just because of the effort the guy put into writing this.
- libervisco, on 10/12/2007, -1/+3drunkenjerkface: No, I posted the story to digg, not the author of the actual article.
Besides, do you have a problem with someone wanting to be acknowledged for the work he done? He wrote it not for himself, but for other people. It is only natural he'd like those people to read and appreciate it if they believe its worth. - lowesch, on 10/12/2007, -0/+2It all depends, you can get nice compact computers from soekris.com.
They're cheap, use a small amounts of power and are designed from ground up to be a firewall, VPN or gateway. And to run *BSD or GNU/Linux - ShaolinTiger, on 10/12/2007, -2/+4hoofarted I don't agree at all.
Headless workstation with low power CPU, can even use something like VIA running on a 12v supply with a fanless CPU, VERY low power footprint.
Use someting like IPcop, install time 5 minutes, setup time, 5 minutes, total cost = whatever old hardware you having lying around, time spent 10 minutes.
IPCop/Smoothwall/Monowall etc..
http://www.ipcop.org/
Plenty available, why roll your own? Someone has rolled it for you (With extra features like IDS, proxy, DMZ built in). - rageguy, on 10/12/2007, -0/+2This guide is completely applicable to Linux workstations as well, and for the 20 minutes work it would take copying and pasting parts of his IP table rules that apply to me, I think its a bargain.
- ahhell, on 10/12/2007, -1/+2The title of this digg should have had a "boyeee" in it. Might have been digg worthy then. /sarcasm
- rylin, on 10/12/2007, -0/+0Roll your own firewall?
No thanks, I'd rather go with enterprise class stuff like m0n0wall ( http://m0n0.ch/wall/ ) - shawnanigans, on 10/12/2007, -8/+8The title sounds like something drug related.
- supermikedigg, on 10/12/2007, -0/+0gidd, you make a good point. However, in the article I do have a short paragraph where I mention to people to turn on both just to make it easy, then take away one and see if that breaks something. In my opinion, noobs don't need to know "HTTP only works on TCP". For now, they can shortcut that and actually learn the process here of building something that they can build upon. But thanks again for your point. Perhaps my next technology article will try to clear the air for those intermediate and more professional users who may read my phrasing and say, "Yes, but..."
- foxter, on 10/12/2007, -1/+1Personally, I would much rather follow this guide than buy off the shelf. After all, this is a what I geek loves and does.
- Glanzer, on 10/12/2007, -0/+0That looks like a great article. It's probably handy for someone trying to learn iptables to "do it from scratch", but if you don't have any firewall you might to use someone else's iptables scripts until you can roll your own. The script I've used is called NARC: http://www.linuxsoft.cz/en/sw_detail.php?id_item=5057 Nice thing about it is that you can look through the script and see what it's doing; that way you can use the iptables guide posted above and compare it against the script to see what it's doing.
- mancat, on 10/12/2007, -3/+2Except for maybe the one that's included with Windows?
- inactive, on 10/12/2007, -3/+1All I read was "Roll your own" damned ADD
- jimmyblake, on 10/12/2007, -2/+0I second the comments made about IPCop, even the newest of users (as long as they understand what DHCPis, as well as what external and internal zones are) can get a firewall up in about 5 minutes flat.
Despite it being very easy-to-use there is much for the more demanding user if they choose to use it - Intrusion Detection using SNORT, including automatic signature update downloading using Oinkmaster; Caching proxy using SQUID; Support for multiple interfaces to create De-Militerised Zones; Nice graphical reporting for IDS, firewall and network usage charts a-la MRTG; and IPSec Virtual Private Networking.
I would recommend this to anyone, even over some of the cheap appliance firewalls - you can implement a simple firewall or a complex one to meet your needs.
http://www.ipcop.org/
James
--
James Blake
http://www.jamesblake.co.uk - joel2600, on 10/12/2007, -4/+1roll your own what? *cough*
fire who? - drunkJerkface, on 10/12/2007, -5/+1I'm assuming that the guy who posted this here was the guy who made the post in the "article." What a ***** attention whore!
**gay voice** "Hey nobody is digging my "story" I put a lot of work into that!" **/gay voice** - OBKenobi, on 10/12/2007, -5/+1How about something for XP? Ever since Sygate was hijacked by Symantec, there aren't any bloat-free, stable Windows Firewalls.
- smcavoy, on 10/12/2007, -7/+1firewalls are for wusses, real men don't use firewalls.
© Digg Inc. 2009
— Content created and posted by Digg users is