On Wed, 2006-08-02 at 12:36 -0600, Cody Nelson wrote:
> First.
> I have been using IPcop as a firewall for close to 4 years now, before
> then I used a slackware box with a bunch of home made scripts.
> Current firewall hardware. Celeron 300 with 128 RAM. 1 10 NIC, 1 10/100 NIC.
> I am looking to step up my security and functionality to a higher
> level. I am looking at other OSS projects and see quite a few.
> Astaro is top of my list right now, but there are so many others.
> (m0n0wall, redWall, Endian, etc)

I have been in the same situation lately and I've tested a few of these
OSS products.

m0n0wall is great, but doesn't have all the features you're looking for.
Redwall is the "I can do everything" firewall, but seems like a
slapped-together and somewhat poorly managed project.

> Some functionality I would like to see.
> Restricting bandwidth usage. Kind of like squid, but on the firewall.

Huh? Do you mean URL filtering or traffic shaping?

> SSL(Web) VPN. (not a priority)
> IDS/IPS capabilities with the bellow
> Better logs/reporting with alerts.
> Port knocking would be cool
> Web based configuration/monitoring.
> Handles over 20,000 connections (bit torrent, etc)
> Posible virus/spam protection.

> Well I guess first question what do people think of Astaro?
> http://freshmeat.net/projects/asl/

On a Celeron 300 you can expect a frustrating experience with Astaro.
The web interface will be painfully slow and you won't be able to turn
on very many filters/features. I've been using ASL for a little over a
year now on a PII 400.

It's great that they give home users a free license, but the limit of 10
IP addresses is a pain. I know there are ways around it, but I don't
want to monkey around with another router, a dual-NATed connection, and
other associated inconveniences (like having to make NAT and firewall
rules in 2 places if I need remote access).

> Second question, what are suggestions?

A good project I've found is the m0n0wall-based pfsense. It supports
more features (many of those listed above) and allows the user community
to write modules to extend its features. I liked IPCop when I tested
it, but haven't really put it to use yet.

I'm likely to roll my own iptables firewall, so it sounds like we're
moving in opposite directions. I'm tempted to use IPCop or pfsense for
the ease of setup, but I think doing it myself will be a better
solution. If adding all that I want becomes too burdensome I figure I
can switch over any time. I'd better decide quickly as the box I run
ASL on died last night.

> Thank you all!
> Cody

Hope this is helpful.

@@ron Smith

firewall-wizards mailing list