Eugen Leitl <eugen@xxxxxxxxx> writes: > 200 MHz MIPSel with 32 MBytes RAM is underpowered for a residential > firewall? Only for most extreme P2P users. If it sucks you're running > the wrong firmware. I guess I could have worded it a bit differently because a 200Mhz risc would indeed have been quite fast just a short while ago. I was just trying to say that given the choice of running what amounts to the same code on a 200Mhz clockrate ARM risc chip or a 2Ghz (or more) x86, the x86 is going to win. I regularly do rdists to unify the filesystems and to do periodic disk-to-disk backups. When a slow machine is in the middle of the transfer the rdist takes 2 or 3 hours. When it is on a switched 10/100/1000 ether it only takes 1 hour. > If it's underpowered, use a 266 MHz soekris or wrap board with 128 MBytes -- > and add swap space, if you must. If it's *still* underpowered, take a > mini-ITX Eden, booting from compact flash. The openbsd folks tried using a soekris as a router and were very frustrated at how slowly the resulting router worked. Perhaps things have changed. >> fedora does. Why not run the firewall on a more powerful box like >> your main computer? > > Because a software firewall is complementary to an external > firewall. You could risk running a rich environment behind > an external firewall without exposing your soft white underbelly > to the net badness -- but arguably you should run a tight > ship nevertheless. Notice that a software firewall can > in principle know which application is using which port -- which > an external firewall wouldn't know. For years (long before those router NAT boxes were on the market) I started putting two ethernet cards in my "main" machine. The internet-facing card was heavily firewalled with only ssh, www, smtp and dns allowed in. The other was essentially open and went to the local net. This was the same topology as the consumer firewall, but allowed for more featureful firewalling. One thing you can't do in a consumer box is load it with a 2,000 element block list. You also can't change the blocklist at runtime (at least not easily) via a cron task that periodically checks your logfiles and sees who is up to no good. It is really handy to put any abusive IP or network into the list for a 90 day "chill-out" timeout. (I use this to block mostly Chinese and Brazilian email spambots that otherwise would hammer my smtp and www server and for dealing with folks that hammer my ssh trying to guess passwords.) -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ Direct SIP URL Dialing: http://www.wsrcc.com/wolfgang/phonedirectory.html
