Czanik@BalaBit

For years I was using miniature PowerPC and ARM machines as gateway for my SoHo network. A normal Linux install using openSUSE or Debian, with iptables, proxies, sometimes an IDS or even a torrent server to seed openSUSE alpha/beta/release CDs. While it was fun, these machines were never intended to do this job, additional Ethernet interfaces were on USB, could not keep up with today’s broadband speed increase, and did not like the near 7/24 operation. Now I got a chance to try a machine, designed to be run 7/24, passive cooling and multiple Ethernet ports, so a real gw machine, an eBox 3310mx instead of some nice hacks.

As a FreeBSD maniac, the first firewall distribution I tested on the machine was pfSense. In addition to being a flexible and powerful firewall and routing platform, it can be extended with many add-on packages for IDS (Snort), VoIP, caching proxy (squid), etc. All these arrive with convenient and uniform web interface extensions to the base web GUI.

Using pfSense I had some mixed results. The machine is based on the Vortex86 SoC, which also includes an Ethernet port. In theory FreeBSD is supported, in practice it did not work, only the additional two Ethernet ports. On the other hand, this was the fastest networking stack on the machine: I often measured faster downloads than theoretical maximum on my ADSL line.

As I also wanted to test a three Ethernet setup, so I also downloaded a Linux based firewall distribution. I was recommended to try ZeroShell, but after a few hours I gave up on installation. Then I tried IPCop, a simple, easy to use firewall distribution. Still it had many more features and yet easier to use than my SoHo router box. It has some nice graphs, traffic shaping, VPN connections, a lot more flexible firewall and logs about network activity. On the other hand, while there was support for the on chip Ethernet, its speed was less than optimal.

The best Linux experience I had on the machine was using it with Debian. Installation was quick and easy. Network speed was close to theoretical maximum on each interface. And as it’s a general purpose distribution, I could easily add NAS functionality using USB hard drives and necessary software.

Talking about Debian, I have some good news for you: Zorp GPL packages are available for Debian, as it was announced on the Zorp mailing list recently. This makes installation of Zorp GPL a lot more easy on many different versions of Debian and Ubuntu. Still not as easy as the web GUI based firewall distributions I tested, but thanks to its proxy based architecture, it can provide a lot stricter and fine tuned protection than any others I tested. For details on how to get started read announcement or the maintainers blog.