IPTable or PF

Post Reply New Topic

Hello,

I'm going to built a router and I'm really interested by PF on OpenBSD, from what I read it supposed to rock, the question is, is it easier to begin with IPTable on Debian or jump to OpenBSD and PF right now ? I don't know Debian nor OpenBSD

I got a Pentium II with 256 Mo ram, 15 Go HD and 3 lan adapters.

I already know m0n0wall, PFSense, IPCop and retail routers (Linksys, D-Link, SMC, Gnet).

Thanks !

I replied to a similar post earlier, but I cant find it right now, so I guess I know why you reposted

Shorewall is your friend. Get something easy to work with - I prefer Arch Linux, as I can install it it under 15 minutes, including all updates, and it mantains itself fairly well over the long term. But any distro without X will work just fine.

The first thing to do, is remove all the junk you don't need - or at least turn it off on boot, so you don't waste precious ram. Then setup those from the following you need:

-Shorewall (iptables configurator scripts/program - very useful, couldn't live without it, and it runs on almost anything with patches)
-Squid (proxy, can be run in transparent mode. Very nice to have if you visit the same sites or see the same images over and over again)
-named (name server, can be setup to cache. Very very useful, as it cuts down on domain resolution times if you go to the same site more than once)
-nfs (if you want to have your logfiles stored on another machine, like I do, as my gateway has a small HD but my desktop has tons of room)
-httpd/apache2 (if you need a web server running locally - very useful for redirecting bandwitdh intensive sites to something else for when your brother decides he wants to use up your months bandwidth in a single adult image viewing session)

If you need help setting any of these up, post with specifics and we can help you out as best we know how. Note: Vodka helps us think

Fooker

Hi Fooker,

Sorry for the delay !

You replied to my post ("Home made router"), I got it and read it, thank you, in that post I asked questions about Open and Hyper WRT, when you spoke about Shorewall I tought that it was only for Linksys router.

I didn't knew that you can put it into a real PC, now I know.

Now I got a Linksys router (not a wireless) it's a BEFSR41 (V3), from what I read I probably can install Open or Hyper WRT into it, but I have to read again just to be sure.

Thank you for your help !

When I'll need informations I'll let you know

See ya !

I would strongly suggest using a router, wireless or wired, as you main gateway, even if it is running Linux (OpenWRT or similar).

I used to use a WRT54G for my main gateway - it was connected to the internet, and all my machines plugged into it, or got wireless from it. Now, I am far from the typical home user, but I noticed allot of problems with the WRT as a gateway:

-It was slow. Doing a shorewall restart took close to 20 minutes for me. That means, whenever you restart your router, your power dies off for a minute, or you change your ruleset, your looking at 20 minutes without internet. Now, this may not be so bad for you, but think - your system is unprotected from the internet for 20 minutes. If any deamons are running (sshd), this is 20 minutes for someone to get into your system without even having to worry about a firewall. Now, this can be gotten around by using iptables-save and iptables-restore, but thats not the prettiest thing to do on a WRT. And you still have ruleset changes.

-It was slow for networking. I never once got full throughput on a single link to a single link (lan to lan, same zone) running either Linksys firmware or OpenWRT. Thats a big thing for people like me who transfer a 50gig backup file every night over the LAN. I use three links from my desktop to my fileserver to get some decent speed to get this file moved over in a reasonable amount of time, and it was not even close to reasonable. And no, theres no way to get around this without really going into it with allot of work.

-It was unreliable. The Linksys firmware takes a few seconds to load up, and all your settings are saved in flash and never just held in memory like some are in Linux. If it goes down, you may not even notice the few seconds its down for a reboot. But with OpenWRT, it takes more time. And if you run specific deamons that you don't want started by its startup scripts (theres allot of reasons), you have to manually do that every time it drops off. Not a fun thought.

-A DoS attack was way to easy on it. I noticed allot of DoS attacks with my WRT, but I don't even notice them with my P2 500mhz boxen - now, these aren't neccesarily attacks that take up all your bandwidth, moreso attacks that require PHP pages to be loaded, the firewall to do some complex things (log enough attacks to flash, and your log files will rotate if setup properly. Do this enough times (not that many on the limited flash in the WRT, and your flash is toast. As in, it will never work again).

-A computer can do so much more. A WRT can't really be used for a proxy, because of processor speed, memory, and most importantly, a storage medium. The flash won't last too long if your caching every website to it. A regular HD will last a very long time. Same reasons for a caching nameserver. Apache isn't the easiest to run, as your limited in what you can do - again, processing speed, memory, and storage space. About all you can run on it, is a screen session with irssi in it

Use the computer if you can, and get yourself a nice switch - I went a bit overboard, with a 4000$ backbone switch, but even a cheap 8 port gigabit workgroup switch will do you, for only a few hundred (under 200 I think, but I'm not sure). Use the router for playing with

Fooker

Hi,

From what I read in your post, I'll don't waste my time with Open WRT, I'll take a chance on PF with Open BSD.

Thank you !