Firewall Recommendations?

anomalous cohort asks: "The company that I work for is looking at upgrading to a proper firewall (sadly, we use only the MS-ISA server now). Our I.T. guy is ready to recommend Fortigate [45]00a. Ours is a small company with about a dozen employees and about 400 customers. Does anybody have any experiences, good or bad, with these two products or with the Fortinet company? Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"

OpenBSD PF

[akpoff]

OpenBSD makes for an awesome Firewall. Get whatever size machine you need, install OpenBSD, enable PF, follow the *very* well written configuration docs online and you'll have one or more firewalls up in no time.

I just set one up and it was easy. And best of all the PF syntax is very straight forward.

Re:OpenBSD PF

[snowgirl]

I have to lend my support towards OpenBSD's PF. It is by far the clearest yet most powerful firewalling configuration setup I've seen.

I highly recommend it over IPTables at least.

The perfect firewall

[ernest.cunningham]

Well fairly good anyway. check out Smoothwall Linux Firewall. http://www.smoothwall.org/get/ SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use. We use this in our business. VERY good.

Windows Computers

Computers with Microsoft Vista make the best firewalls. Let's say you have a large boiler room, and you really want to keep the heat contained. A good thick layer of 3-4 PCs with Vista Home Premium (or 2-3 PCs with Vista Ultimate) will keep just about anything contained. Please note that Vista Home Basic isn't really suitable for this job in any thickness, as it will tend to burn and contribute to the problem.

Oh, and don't forget to apply a generous coat of anti-virus paint every morning!

Re:Windows Computers

[nacturation]

Computers with Microsoft Vista make the best firewalls. The network interface received an incoming packet.

[Cancel] or [Allow]

We use one

[realmolo]

We have a Fortigate 400, and we love it. It's damn near perfect. I recommend them to EVERYONE who is in the market for a high-end firewall appliance.

Truly, it the best thing on the market, right now. Much better than a PIX, or Netscreen, or anything else. And cheaper. And it does more.

They really need better marketing, because few people even know they exist, which is too bad.

So yeah, you should get one.

OpenBSD + PF

[grub]

We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):

Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded

in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.

We let our contracts lapse and are working hard at moving everything to OpenBSD, PF and the native IPSEC although OpenVPN is a serious contender as we use that for the road warriors already.

It pisses me off to no fucking end that to get a firewall capable of gigabit (we're a bunch of research labs on CANARIE) from Cisco will each a big bite from my budget, just to have the "Cisco" brand on it.
nb: I do love their routers and switches. Their firewalls are overpriced and underwhelming.

Re:Know what you need

[HeelToe]

How do multiple external ip addresses cause an issue? I've been able to successfully have plenty of external ip addresses, and more particularly, multiple internet connections each with its own WAN and or CIDR block.

The trick to the former (multiple ips, one internet connection) is really managing via subinterfaces. Firewall rules to deal with the packets associated are pretty easy. This lets you DNAT things into the appropriate place via iptables. If you want to actually build a DMZ, you could use a proxy arp setup like this: http://www.sjdjweis.com/linux/proxyarp/

As for multiple internet connections, look into multiple routing tables via the ip command. Example:
ip route add default via table 100

Then use ip rule statements to choose when to use the particular route tables:
ip rule add to table 100
ip rule add from table 100

You can also pretty simply setup multiple SNAT rules to SNAT traffic over each link for different purposes. This lets you do things like SNAT to a specific host (read: internet connection) based on protocol, internal source address or destination. Handy for lots of things.

One nice thing to do with multiple internet connections is to have verbs in your firewall script that will allow you to manually failover your internet connection if one goes down. This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection, but it can let you continue to work with outgoing traffic while the problem is resolved.

If you're slick, you have your DNS hosted externally and you can then use this to update DNS for the DMZ to an alternate zone which specifies those public facing hosts as existing on the internet connection you just did a failover to. Make sure your A record TTL values are low.

This leads to a reconfiguration of the DMZ unless you have done full SNAT/DNAT mappings for each DMZ host in the firewall. Doing so can be a lot more work, but you can build a set of symmetric (or controlled in a script by a variable) configurations that swap out the DMZ nat rules so that they exist for one specific internet connection or the other.