[KLUG Members] re: A plea for firewall ideas

[Mike Williams]

>
> From:
> Adam Bultman <adamb at glaven.org>
>
>
> Mike Williams wrote:
>
>>>
>>> Subject:
>>> [KLUG Members] A plea for firewall ideas
>>> From:
>>> Adam Bultman <adamb at glaven.org>
>>>
>>>
>>> Hello everyone.  This is a plea.
>>>
>>> At work, we are going to be upgrading our firewalls to a new system, 
>>> as yet undecided.  We are in the final stages of deciding exactly 
>>> what we'll be using for firewalls very soon.
>>>
>>>
>> Two words:  Astaro Linux.  http://www.astaro.com/  It's a heavily 
>> customized firewall-only distribution, and the best I've ever seen.  
>> Its cost starts at $390 for commercial use, and you need a little 
>> more hardware to throw at it than Smoothwall or something, but it's 
>> definitely worth it.  Completely web manageable, (although you can 
>> ssh in if you need to), supports several types of VPN tunnel, serves 
>> DNS, DHCP, web caching, intrusion protection, content filtering, 
>> SNMP, ICMP forwarding or dropping, and basically anything else you'd 
>> ever want a firewall to do.  As an example of the attention to detail 
>> that Astaro puts into their product, every single process that the 
>> box runs is chrooted.  I run one at home (it's free for 
>> non-commercial use) that serves my 256K DSL from an old K6/2 500.  
>> The web management interface is sometimes a little slow, but I've 
>> never seen any problems with it, and the system load graphs are nice 
>> and low.
>>
> I tried it. One word:  Unreliable.
>
> I tried that here at home on my dual 400 system.  When it wasn't 
> crashing with "kernel Oops"es, it was dropping my ethernet connections 
> and giving me no way of knowing, apart from the fact that the box 
> itself couldn't connect to anything and my workstation behind it could 
> ping the interfaces.     The web interface, while really neat to look 
> at was more difficult to grasp than the iptables commands I currently 
> wrangle with (especially with the tangled web of rules I have).  
> Furthermore, it couldn't correctly NAT my VoIP traffic, which is a 
> must. (And before you point the finger at my computer, please note 
> that it has run, and continues to run, just as stable as could be 
> running a variety of distros, including RH 6.2, Gentoo, and FC2).
>
> Astaro looks good, but to implement it at work would be nearly 
> impossible, and I can't place my trust in a system that crashed more 
> than a couple times  within hours of installation (and continued to be 
> unreliable).  Plus, they placed a sales call to me at 5 AM.
> Adam


OK, a 5 am sales call would piss me off too.  I've never gotten a call 
from them, but then again I started with a non-commercial license where 
they know they're not gonna make any money off of me.  No idea why you 
had trouble with it, but maybe it doesn't handle multi-cpu so well.  All 
my experience with it (admittedly just my own and the guy who 
recommended it to me) has been fine, but they're both single cpu boxes.