Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bootable CDROM-based Firewalls?

Posted by Cliff on from the soon-everyone-will-NEED-one dept.

DNapalm asks: "I work at a small local ISP that is in desperate need of a firewall. We don't have much of a budget, so a hardware-based solution (which I'd prefer) really isn't an option. I've been searching around the web for firewall distributions, and I know what I am looking for. I'd like a boot CD (no install required, no filesystem hacking, just reboot) that stores the configuration on a floppy (that we can easily write protect). It should have a web interface and be able to log to a hard drive or some other machine. Some distributions I've found that seem close are Sentry Firewall, Devil-Linux, NetBoz, ClosedBSD, and Keeper Linux. Has anyone used these? Can you give recommendations? Any help would be appreciated."

7 of 50 comments (clear)

  1. LEAF by SIGBUS · · Score: 4, Informative
    LEAF, with several versions, would be a good starting point. One variant in particular would be Dachstein-CD, which boots off a CD and uses a floppy to back up configuration changes. Note that the Dachstein releases are 2.2/ipchains-based, while Bering, which is floppy-based, is a 2.4/iptables system.

    I'm using a floppy-based Bering system where I work as a multi-ISP router/firewall, and it works quite well.

    --
    Oh, no! You have walked into the slavering fangs of a lurking grue!
  2. Dead site by SIGBUS · · Score: 3, Informative

    The problem is, if you look at the linuxrouter.org main page, you'll find that the site hasn't been updated since May 3, 2001. Most LRP development these days is on the LEAF site.

    --
    Oh, no! You have walked into the slavering fangs of a lurking grue!
  3. Duh, this here magazine sez we needs a firewall! by Anonymous Coward · · Score: 3, Interesting

    For those who wish to avoid the ISP that can't be bothered to actually administer a firewall:

    Synergy Networking
    http://www.synergycorp.com
    1780 SW 43 Ave.
    Fort Lauderdale, FL 33317
    Phone: (954) 792-1866
    Fax: (954) 791-4214
    E-mail: webmaster@synergycorp.com

    Sorry to post anonymously. I'm sick to death of irresponsible ISPs who have no clue how the technology they work with actually works. You're running a goddamned ISP, invest some time into understanding what that firewall is before deploying it.

    I shouldn't be surprised. This ISP is proud to have a "less is more" policy for website design. Hell, right below their claim to have secure web pages, they proudly state their FrontPage support.

  4. What options do you need? by matts.nu · · Score: 3, Insightful

    You should really list your needs before you pick a firewall.

    Do you just need a packet filter, to block incoming SYN packets?

    Or are looking at an application firewall with anti-virus e-mail scanning, web caches, VPN's, seperate DMZ's for your servers, authentication with OTP's and tokens, etc?

    Different needs. Different solutions.

    How much staff do you have? Any *nix experts?

  5. SuSE Firewall by Khazunga · · Score: 3, Informative
    You'll want your security advisories delivered to your doorset, with quick and easy updates. If yor time is worth a dime, go for a commercial distro. I'd use SuSE:

    http://www.suse.com/us/business/products/suse_busi ness/firewall/index.html

    --
    If at first you don't succeed, skydiving is not for you
  6. Gibraltar by acaird · · Score: 4, Informative

    Gibraltar is pretty much what you just described. It worked very well for me in the past, although it looks like development has slowed down (no updates, at least to the free version, in over a year).

    --
    Power corrupts. PowerPoint corrupts absolutely. E. Tufte
  7. Our firewall by Peter+H.S. · · Score: 3, Interesting

    is a floppy based solution from http://www.zelow.no/floppyfw

    We have a 4Mbit/4Mbit HDSL line, and around 320 nodes. (I am part of a team, that runs a small time volunteer ISP: the whole street I live in, joined together to get good Internet access for a reasonable price; Linux all the way, yaeh!)

    floppfw is a quite nice distro, it has loads of add-on packages: VPN(PPTP, Cisco, Intel etc), PPP, ssh etc. It is rock solid and has a high performance (used it for 3-4 years without problems)

    There is also a powerfull GUI for configuring it: http://www.fwbuilder.org/
    But is very simple to maintain and costumize without. You just mount -o the image, edit, unmount. Rolling and using your own kernel is also quite easy (we use NAT, and some NAT helper modules are outside the kernel).

    The downside:
    No changing the firewall rules on the fly.
    Changing rules or upgrading, means a reboot lasting a minute or so.
    We have a spare box (can be used as firewall or proxy, dhcp server if necessary), so by changing the default gateway, we can avoid loss of Internet connectivity, though it means that people cannot access our web-site in the mean time, but we can live with that, other may not).

    We also use the spare box, as a testing unit for new firewalls, so we can be confident that it works before it is put into production.