[KLUG Members] re: A plea for firewall ideas

[Adam Bultman]

Mike Williams wrote:

>>
>> Subject:
>> [KLUG Members] A plea for firewall ideas
>> From:
>> Adam Bultman <adamb at glaven.org>
>>
>>
>> Hello everyone.  This is a plea.
>>
>> At work, we are going to be upgrading our firewalls to a new system, 
>> as yet undecided.  We are in the final stages of deciding exactly 
>> what we'll be using for firewalls very soon.
>>
>>
> Two words:  Astaro Linux.  http://www.astaro.com/  It's a heavily 
> customized firewall-only distribution, and the best I've ever seen.  
> Its cost starts at $390 for commercial use, and you need a little more 
> hardware to throw at it than Smoothwall or something, but it's 
> definitely worth it.  Completely web manageable, (although you can ssh 
> in if you need to), supports several types of VPN tunnel, serves DNS, 
> DHCP, web caching, intrusion protection, content filtering, SNMP, ICMP 
> forwarding or dropping, and basically anything else you'd ever want a 
> firewall to do.  As an example of the attention to detail that Astaro 
> puts into their product, every single process that the box runs is 
> chrooted.  I run one at home (it's free for non-commercial use) that 
> serves my 256K DSL from an old K6/2 500.  The web management interface 
> is sometimes a little slow, but I've never seen any problems with it, 
> and the system load graphs are nice and low.
>
I tried it. One word:  Unreliable.

I tried that here at home on my dual 400 system.  When it wasn't 
crashing with "kernel Oops"es, it was dropping my ethernet connections 
and giving me no way of knowing, apart from the fact that the box itself 
couldn't connect to anything and my workstation behind it could ping the 
interfaces.     The web interface, while really neat to look at was more 
difficult to grasp than the iptables commands I currently wrangle with 
(especially with the tangled web of rules I have).  Furthermore, it 
couldn't correctly NAT my VoIP traffic, which is a must. (And before you 
point the finger at my computer, please note that it has run, and 
continues to run, just as stable as could be running a variety of 
distros, including RH 6.2, Gentoo, and FC2).

Astaro looks good, but to implement it at work would be nearly 
impossible, and I can't place my trust in a system that crashed more 
than a couple times  within hours of installation (and continued to be 
unreliable).  Plus, they placed a sales call to me at 5 AM. 

Adam


> You can download a free 30-day trial from their website.
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
>