Up till now I’ve been running the home firewall and a couple of minor websites from an old (1996 or thereabouts) Pentium 3 box in the basement, that uses Debian. It seems to work reasonably well, and has been fending off bots and other threats with adequate ferocity. There seems no reason, however, to think that the number of attacks will decrease in the next little while, and every reason to suspect that one of these days the hard disk will fail, leaving me without a firewall. The websites are backed up and easily restorable, the time to set up a firewall and get it working with a PPPoE connection to an ISP that doesn’t understand Linux is what will take the time.
So I’ve been wondering about rejigging the whole network, getting an off-the-shelf hardware firewall/router that can feed into the wireless router. I’m a little paranoid about getting something that is secure but not intending to spend thousands. We’ve blocked all ports except the necessary ones on the system right now, except for allowing SSH access in and out, and, of course, port 80 for the web sites. Security will be particularly important as the kids move into the teenage years and start wanting to download stuff.
I’m looking for some advice here. Do I need anything more than NAT, DMZ, and forwarding appropriate ports to internal servers, which I can get from standard consumer-level router/firewalls? Any particularly good brands and models I should look for?
If you don’t mind doing a little fiddling (and, well, you’re running a Debian based router now :P), get a standard router and then put DD WRT (http://www.dd-wrt.com/) firmware on it.
Boris, you’ve answered the second question: “how?”, not the first: “what?”, as in: “Do I need anything more than NAT, DMZ, and forwarding appropriate ports to internal servers?” which seems to me like quite a good one.
I use a modem with many of those features.
http://www.thinkbroadband.com/hardware/reviews/2002/q4/st510v4.html
Quite a few firewall features, NAT etc. Line, mode, 802.3 to the wifi router.
Works well and a lot cheaper than a dedicated firewall.
HTH
i’d get a linksys WRT54GL.
the default firmware is decent, and if you need more, you can install a number of available free firmware builds, from openwrt, to freewrt to dd-wrt and others.
you get wifi and 5 ethernet ports in a nice package, and running an alternative firmware, you can even set the ethernet ports into different vlans, turning the box into a 4 port router plus wifi (and one port of PPPoE).
NAT, DMZ and port forwarding ought to do it, I also need VPN. I’ve been steering people I know to CyberGuard’s SnapGear lineup for years, never a problem, embedded Linux:
http://www.securecomputing.com/index.cfm?skey=1571