CompactPCI-Based BSD Firewalls?

Legend asks: "I am looking into implementing a BSD based firewall at my place of employment. I have been looking at different solutions, from Nokia, and Cisco, but they seem quite expensive, and the Cisco solution is nothing more than a router, with some extra software, and the Nokia, nothing more than a PC, with extra software. I have decided to build my own PC/BSD based firewall, with FreeBSD, or OpenBSD, however, I am looking for the perfect hardware for this project. CompactPCI looks like a great choice, but I am wondering if anyone has run *BSD on this hardware, and if there are any pitfalls to it. CompactPCI seems like it would be the perfect firewall solution, compact flash based boot drives, hot-swappable processors, up to eight PCI slots for NICs." Sounds like a nice idea for an always-on PC appliance. Although we covered some of the issues with BSD Firewalls in an earlier article it would be interesting to know of your thoughts on CompatPCI and how well it can stand up to this kind of use.

Good reasons to use *BSD instead of PIX.

[Nonesuch]

One of the advantages of custom building a firewall using *BSD with IP-Filter is that you can load your own protocol-aware and 'application proxy' software on the device, where the PIX is strictly a stateful-inspection packet filter with some minimal protocol awareness for 'fixup', and that sometimes doesn't even work correctly, such as their FTP fixup hole.

The disadvantage to the Cisco PIX is that the OS is not well known and not available for download, so you will never know what exploitable holes exist. Meanwhile, Cisco engineers and any uber-crackers who have obtained copies of PIX source code can root you at will :-)

Sure, BSD has had a few holes, but most of those are related to software you don't need installed on your firewall. Or you load OpenBSD, and eliminate the majority of OS exploits from the problem pool.

Reasons not to roll your own.

[Nonesuch]

This topic was hashed to death in bofhnet a few weeks ago. There are good reasons to buy commercial firewalls:

• If you are hit by a bus, they can find somebody else who knows the product.
• By installing a well-known commercial product, you are less likely to be sued/fired when the firewall is hacked.
• If your time is worth anything, buying a $25K firewall will be cheaper in the long run.
• Commercial vendors sell tech support, so if something breaks during your once in a lifetime vacation to Aruba, you won't be called back to the office to fix the firewall.

If you aren't doing this to save money, then you might just want to try to find small form-factor hardware that will run Secure Computing's Sidewinder firewall.

Sidewinder is based on a customized version of BSD, runs on normal PC hardware, and has most of the features you'd put in if you designed your own firewall, plus it comes with a GUI so you can delegate maintenance to lesser mortals. But Sidewinder isn't cheap.

I enjoy building my own OpenBSD firewalls, but for nearly any commercial purpose, I purchase commercial firewall products from major vendors.

Good Starting point

[DreamerFi]

Perhaps a good starting point is the NetBSD/i386 based firewall project at www.dubbele.com.

Disclaimer: that's my site. Contact me through email if you need assistance, I'd be happy to help you with details..

-John

Why are you looking at small form factor?

[biglig2]

Box firewalls tend to be in those small boxes because people want to rack mount them etc.

But if you're going to build your own won't it be a lot easier to stick with standard PC hardware?

That way your time concentrates on the Firewall stuff, not struggling with unusal/slightly supported hardware.