Hardware Firewall

[variance75]

Hi All,

I run an internet cafe and decided to get a hardware firewall solution. Does anyone have any recommendation on the hardware for a firewall? Also do I have to use NAT in a hardware solution? I rather keep my statics IP and just block ports by IP.

Thanks in advance.

 

[exx1976]

Depending upon the number of stations you have, I'd look into a Symantec VelociRaptor. It's a 1U box that can be had for ~$800 for a 40 node license. You can block anything by anything.. You can allow certain IPs to have free reign, certain IPs to only have port 80, etc, whatever you want. VERY nice unit, and very secure. For a couple hundred more, you can have VPN capability when you can VPN in from outside if you so desire.. I think they have a unit that also does caching (speeds up browsing and cuts down on traffic). I personally can't stand Symantec products, but their firewall line wasn't developed by them, they bought Eagle (used to make Raptor firewalls), which was a REALLY solid company... That's what I have here at my office (software solution, Enterprise Firewall, runs on Solaris).

It also does reverse NAT to map in HTTP traffic to an in-house web-server, or email server, or whatever... Quake server maybe.. LOL

 

[mboy]

GO with a Snapgear SME 550 @ $375 delivered. 5o0 Crypto Xlerated VPN tunnels, 35mb firewall thruput (15 mbps or so for 3DES), unlimted users (no licensing), free firmware updates for live. HTTPS/SSH admin access, dial in (thru phoneline) access to it, basic traffic Shaping, Can run it in bridged mode (like you want), asks as a DNS proxy, NTP server, ful CLI access, GUI. Linux imbedded on a chip. CAN NOT be beat for the price. Does all you need and MUCH more!
www.snapgear.com

SME 550

 

[variance75]

Snapgear looks good. Price looks even better. Bridge mode means no NAT? Install pretty easy? I crimped and developed the whole network infrastructure for the cafe but I am no network engineer.


Basically, I want to shut all all ports but 80, and a few game ports to the outside. Also can I limit bandwidth by IP? Sorry for all the questions. If you need to set up a Counter-Strike server I can help .

 

[mboy]

Yep, installs nice and easy. Bridged is NON NAT mode. GO here: emulator
to test drive it

 

[mboy]

Out of curioisty, why are you interested in limiting bandwidth by IP? MIght not be able to do that with this.

 

[variance75]

Only have a T1 for 25 Machines. If someone decides to DL 100MB file. Everyone's latency goes hell. Since we run some game servers people playing from home don't like it either.

 

[groovin]

i didnt know internet cafes allowed peopel to download large files like that. do you have ethernet ports for laptop users to jack into or something?

 

[variance75]

You are not really allowed to but its tough to monitor. So the best option is to limit the bandwidth so you wont.

 

[cmetz]

OpenBSD on a PC...

 

[mboy]

Originally posted by: cmetz
OpenBSD on a PC...

Unfortunatey, not all of us (especially myself included) are *nix gurus, able to easily admin it compared to an appliance

Something to def. work with in lab or home to learn (as I am going to), and it is VERY powerful way to go, but tough in real world enviro when it isn't easily admin'd.

 

[groovin]

Originally posted by: cmetz
OpenBSD on a PC...

pf and altq?

 

[n0cmonkey]

Originally posted by: groovin

Originally posted by: cmetz
OpenBSD on a PC...

pf and altq?

My #1 choice.

But I would recommend Checkpoint.

 

[variance75]

PF and altq?

 

[groovin]

pf is the firewall package that comes with openbsd and altq is a queing program... they integrate really well with each other. openbsd is free and VERY powerful but for people new to *nix, itll be tough to pick up in the begining.