On Fri, 2006-14-04 at 11:01 -0700, Wolfgang S. Rupprecht wrote: > Eugen Leitl <eugen@xxxxxxxxx> writes: > > 200 MHz MIPSel with 32 MBytes RAM is underpowered for a residential > > firewall? Only for most extreme P2P users. If it sucks you're running > > the wrong firmware. > > I guess I could have worded it a bit differently because a 200Mhz risc > would indeed have been quite fast just a short while ago. I was just > trying to say that given the choice of running what amounts to the > same code on a 200Mhz clockrate ARM risc chip or a 2Ghz (or more) x86, > the x86 is going to win. > > I regularly do rdists to unify the filesystems and to do periodic > disk-to-disk backups. When a slow machine is in the middle of the > transfer the rdist takes 2 or 3 hours. When it is on a switched > 10/100/1000 ether it only takes 1 hour. > > > If it's underpowered, use a 266 MHz soekris or wrap board with 128 MBytes -- > > and add swap space, if you must. If it's *still* underpowered, take a > > mini-ITX Eden, booting from compact flash. > > The openbsd folks tried using a soekris as a router and were very > frustrated at how slowly the resulting router worked. Perhaps things > have changed. > > >> fedora does. Why not run the firewall on a more powerful box like > >> your main computer? > > > > Because a software firewall is complementary to an external > > firewall. You could risk running a rich environment behind > > an external firewall without exposing your soft white underbelly > > to the net badness -- but arguably you should run a tight > > ship nevertheless. Notice that a software firewall can > > in principle know which application is using which port -- which > > an external firewall wouldn't know. > > For years (long before those router NAT boxes were on the market) I > started putting two ethernet cards in my "main" machine. The > internet-facing card was heavily firewalled with only ssh, www, smtp > and dns allowed in. The other was essentially open and went to the > local net. This was the same topology as the consumer firewall, but > allowed for more featureful firewalling. One thing you can't do in a > consumer box is load it with a 2,000 element block list. You also > can't change the blocklist at runtime (at least not easily) via a cron > task that periodically checks your logfiles and sees who is up to no > good. It is really handy to put any abusive IP or network into the > list for a 90 day "chill-out" timeout. (I use this to block mostly > Chinese and Brazilian email spambots that otherwise would hammer my > smtp and www server and for dealing with folks that hammer my ssh > trying to guess passwords.) Most of these issues can be argued in different directions. If you need a router for a small home or office a broadband router should suffice. If you need a hard core router, I would suggest Cisco or other similar products. I have used Linux machines as routers in the past, and it worked quite well, but they are far less efficient that dedicated hardware routers. The main advantage of using a Linux/BSD machine as a router is that you can customize the features at will, and buy off the shelf components to build and repair it. Some other disadvantages of using a Linux/BSD machine as a router are the hard drive and relative storage and power consumption requirements. Even a good hardware firewall for home or SOHO use costs less than most new PC's. If you have an old machine kicking around it might be worth a try, but properly hardening and configuring a Linux/BSD machine as a firewall is not for anyone without plenty of experience.
