From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
To: netfilter@vger.kernel.org
Subject: Re: best distro to build iptable firewall
Date: Wed, 23 Dec 2015 18:06:30 -0500 [thread overview]
Message-ID: <20151223180630.61b8d238@playground> (raw)
In-Reply-To: <CAPgF-fpEK=-AuP5Mtqddkgh2U8BMC8hKVb_2Mt7MJQNJ4cu8wg@mail.gmail.com>
On Wed, 23 Dec 2015 15:29:17 -0500
Satish Patel <satish.txt@gmail.com> wrote:
> All,
>
> I am planning to build dedicated firewall for network and wonder which
> OS will be idle and best for dedicated firewall machine?
>
> Its going to handle around 500mbps traffic peak.. so i need something
> solid and secure, which won't crash...
(I know this sounds like an advertisement, but Satish *did* ask. And I *am* working to integrate the just-released iptables v1.6.0.)
If you intend to filter SSL (via MITM), HTTP, HTTPS through clamav, filter URLs for 'appropriateness', and run Snort to identify incoming threats, *at 500Mb/s*, you will need at least 2GiB of fairly fast RAM and a fast quad-core CPU.
You don't need to build a dedicated firewall. Smoothwall Express v3.1 is already available:
- i586 or x86_64
- SMP
- web-based UI
- linux v3.4.110
- iptables v1.4.21
- ipset v6.19
- gcc v4.7.3
- glibc v2.18
- binutils v.2.22
- runs snort, clamav, squid
- as a plain firewall, easily handles 4 NICs at constant 950Mb/s on a
dual-core Atom N270. (clam/ids/squid filtering is a different story.)
- improved build system makes it easy to add pkgs
- script-based 'advanced installer' make it easy to hack and debug
installation problems
- hooks to make many mods 'non-invasive'
Except for a stupid mistake on my part (I introduced a memory leak when I converted iptACCOUNT to 64-bit counters), v3.1 has been very stable.
I'm presently working on v3.2 preliminaries:
- linux v3.14.58
- iptables v1.6.0
- ipset v6.27
- eudev v3.1.5
It just built and the iso/flash images assembled. It installed and booted (in a KVM) without trouble. So far, the firewall seems OK. But I do expect to encounter a few incompatibilities with iptables v1.6.0.
We're working to overcome years of development neglect. I spent five years improving the build system, modernizing Express' 'foundation', polishing the UI a little bit, and stumbling upon and fixing many little bugs from the original v3.0; v3.1 was the result. Somewhere in there, I was appointed project leader. There is still room for improvement in the UI and in the features; this will be the main focus during 3.2's development.
Unless it's a learning exercise, if you want to save yourself a lot of time and trouble, visit us at http://community.smoothwall.org.
Neal
next prev parent reply other threads:[~2015-12-23 23:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-23 20:29 best distro to build iptable firewall Satish Patel
[not found] ` <E53FF75E-61D0-45DB-B90C-6CDB06608E2A@auroragrp.com>
2015-12-23 21:30 ` Satish Patel
2015-12-23 23:06 ` Neal P. Murphy [this message]
2015-12-24 7:01 ` prmarino1
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151223180630.61b8d238@playground \
--to=neal.p.murphy@alum.wpi.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox