I’ve been running on the SMC Barricade for about a week now, and like it. If you’re looking for a firewall appliance, $100 gets you a 4-port switch, NAT firewall, and print server. Setting up printing between Linux and Windows has traditionally been a pain; the SMC acts as an LPR-type print server, so setting up print sharing between my Windows 2000 box and Linux was simple.

I’m evaluating an interesting product in my lab, the E-smith mail server/gateway. It’s a stripped-down version of Red Hat Linux with NAT, IPCHAINS, POP/IMAP/SMTP email servers, a webmail interface, WWW server, and FTP server. It’s all administerable from a web browser. They have an evaluation version available at their web site, which looks to be a free for non-commercial use license. I’m a little leery of using older computers as firewalls, since they’re more susceptible to hardware failure. E-Smith looks to have a feature where you can back up all of the data relatively quickly. Since it’s a turnkey install, if you have a hard disk failure, you could replace the hard disk, do a fresh install, then upload all of your data back in to it.

The lowest recommended hardware is a Pentium-90 with 32 megs of RAM and 1 gigabyte hard disk. This will accomodate 40 users, so a small home network should run just fine on similar hardware.

I’d like it if someone came out with an inexpensive, mini-tower Celeron 300 with 64 megs of RAM, serial, parallel and video on the motherboard, and two (or better, three) PCI slots. Such a machine would be a perfect platform for a network appliance/turnkey system.

February 19, 2001

Added to the Geek Page: IP netmask information and HTTP error codes. If you have any other good sources of technical information you want to see preserved on the web, please email a link to me.

I’ve wanted to replace my home firewall (A Pentium 233MMX running Linux, IP Masquerade and IPCHAINS) for some time, and have been looking at alternatives. There are several alternatives:

FLOPPY-BASED FIREWALL:
Pros:
Doesn’t need high-end hardware (486, 24+ megs RAM, no hard drive is sufficient for most implementations)
RAM-based operation: if the firewall is compromised, power cycle it to go back to original config
Uses existing IPCHAINS knowledge
Uses existing hardware
Quiet, doesn’t need a power supply fan or hard drive.
Cons:
One More Computer to run…
Most require custom floppy formats to allow room for Linux 2.2 kernel

DEDICATED FIREWALL/SERVER COMPUTER:
Pros:
Have lots of hardware laying around
Uses existing IPCHAINS knowledge
Don’t need to masquerade services on firewall computer
Cons:
One more computer to run…
Several new points of failure (power supply, hard drive, etc.)

FIREWALL APPLIANCE:
Pros:
Convenient, web-based administration
Quiet
Cons:
Less flexible than traditional firewalls
No Packet filtering
No intrusion detection features
Limited logging

I’ve tested the Linksys BEFSR11 Cable/DSL router, and have two other routers on order – the SMC Barricade and Allied Telesyn AT-220E. Both the SMC and the Linksys have comparable firewall facilities, but the SMC adds a 4-port ethernet switch for $20 less than a similarly configured Linksys model (The BEFSR41) , and adds a print server. Connect your printer to your firewall and share it with Windows and UNIX hosts – pretty nice.

Many of these appliance firewalls don’t provide packet filtering, but rely on NAT and RFC1918 addressing in the protected area to provide protection to the internal hosts. Since you can’t get a route to 172.0.0.0 from the outside, you’re relatively safe. I’d like to be able to provide some filtering capability for those ports I do allow (say, only allowing certain IP addresses access to a POP server).

The Linksys router is one of the more popular routers, and it performs adequately for most home users. I’m running several services on the outside (including this web server). In order to make this server available from the outside, the router performs what is known as “Port Forwarding”. Port forwarding is a way of making specific private services on the protected network available from the outside world. For example, say you have a WWW server in your protected network that you would like to share with others. You add a port forwarding rule to the firewall forwarding port 80 (WWW) traffic to a host (your WWW server) on the protected network.

Someone on the outside wanting to see your web server would point their web browser to the “outside” public IP address, and the router would forward requests to your internal server.

The Linksys only allows 10 ports (or contiguous port ranges) to be forwarded, which is sufficient for most DSL or cable users, but a little tight for someone running a public server.

I’ve seen random lockups where the linksys doesn’t respond (and my network is isolated from the internet for 5-10 minutes at a time. I don’t know the cause of this. I’ve updated my router firmware to the latest version from Linksys’ web site, and the problem remains. Linksys has gotten some bad press regarding reliability and their ability to fix problems; some complain that their fixes introduce new problems, or don’t address issues.

The Allied Telesyn router shows a lot of promise. It appears to have more full-featured port-forwarding (allowing you to forward port X on the outside to port Y on the inside, for example, and appearing to allow more port forwarding rules than the SMC or the Linksys, which allow 10. It also features a DNS proxy, and firewall software that includes stateful packet filtering, logging to syslog or email, intrusion detection features, and packet filtering.