m0n0wall vs. ???

[Shaotai]

Okay, so here's the situation.
At a friends business, she has a t1 and we use m0n0wall as a firewall. we host a number of websites and an email server and it's been working out great for the most part...
She wants another t1 for some reason, so I'm wondering if there are some other options we can run for the firewall. We use 1 to 1 nat for the website, all manually mapped with m0n0wall.

We're looking for something that is cheap but works solid. The current m0n0wall system is using one of the them soekris boxes. We'll probably use an old system 3 nic and run m0n0wall again, or try something else? Suggestions? I've downloaded smoothwall and may give that a shot.

We have a slight issue using m0n0wall and quickbooks. We can't use the banking function, so that's why were looking at another option besides m0n0wall...

 

[FoBoT]

http://www.clarkconnect.com/info/

 

[fresnoboy]

If you like monowall but want more expandibility, why not use pfsense? Works pretty well.

Thanks,
FB

 

[Shaotai]

interesting that pfsense is based off monowall... I'll give it a shot... THanks too for the clarkconnect linky...

 

[Rilex]

ISA?

 

[futuristicmonkey]

OpenBSD/pf

 

[nweaver]

Originally posted by: Rilex
ISA?

great idea...but you need
Bigger iron to run it
a Microsoft Server OS
the ISA Software


So you go from a solid, open source firewall running on lower end H/W to a bigiron, expensive, propritary solution.

 

[InlineFive]

Ask her why she needs two T1s, it may turn out to be a waste of operating budget.

 

[Rilex]

So my PIII 850Mhz is now big iron? COOL!

 

[Shaotai]

Originally posted by: InlineFive
Ask her why she needs two T1s, it may turn out to be a waste of operating budget.

She wants redundancy and maybe looking to host other sites in the future.

It's an interesting business, sweat sheilds for clothings and under garments.
Linky for those who are interested in looking at the site...

I don't think we'll do the ISA right now, but that could be future option. Also, pfsense can do two WAN links, so this could really work out well for us.

 

[InlineFive]

Originally posted by: Shaotai

Originally posted by: InlineFive
Ask her why she needs two T1s, it may turn out to be a waste of operating budget.

She wants redundancy and maybe looking to host other sites in the future.

It's an interesting business, sweat sheilds for clothings and under garments.
Linky for those who are interested in looking at the site...

I don't think we'll do the ISA right now, but that could be future option. Also, pfsense can do two WAN links, so this could really work out well for us.

You can host lots of site on a single T1 line. It's depends on what web server you are using.

And if you are using a reputable provider I don't think that your T1 reliability should be enough of an issue to buy a second one, unless you have enough traffic that load balancing would be useful.

Instead I would consider a DSL or Cable line as a reserve.

 

[Genx87]

Originally posted by: Rilex
So my PIII 850Mhz is now big iron? COOL!

Heh, that is what I was about to say

 

[Shaotai]

Originally posted by: InlineFive

Originally posted by: Shaotai

Originally posted by: InlineFive
Ask her why she needs two T1s, it may turn out to be a waste of operating budget.

She wants redundancy and maybe looking to host other sites in the future.

It's an interesting business, sweat sheilds for clothings and under garments.
Linky for those who are interested in looking at the site...

I don't think we'll do the ISA right now, but that could be future option. Also, pfsense can do two WAN links, so this could really work out well for us.

You can host lots of site on a single T1 line. It's depends on what web server you are using.

And if you are using a reputable provider I don't think that your T1 reliability should be enough of an issue to buy a second one, unless you have enough traffic that load balancing would be useful.

Instead I would consider a DSL or Cable line as a reserve.

Yes, the AT&T managed t1 service has been awesome so far. Just about zero downtime and the only downtime we had was due to power outages on our side.

 

[nweaver]

Originally posted by: Rilex
So my PIII 850Mhz is now big iron? COOL!

compared to my PPro 120 w/32 MB ram...yes, it's big iron.


Win2k3 Server OS is what...$300
ISA server (No clue, we have an action pack at work, and only use it in one place, and only because someone didn't want to use an "OMG, OPEN SOURCE IS teH sucK" alternative solution) 200?ish

 

[kamper]

Originally posted by: nweaver

Originally posted by: Rilex
So my PIII 850Mhz is now big iron? COOL!

compared to my PPro 120 w/32 MB ram...yes, it's big iron.

Or compared to the op's soekris...

 

[Rilex]

Originally posted by: nweaver

Originally posted by: Rilex
So my PIII 850Mhz is now big iron? COOL!

compared to my PPro 120 w/32 MB ram...yes, it's big iron.

Don't make yourself sound like more of a fool than you already are. Please.

 

[nweaver]

Originally posted by: Rilex

Originally posted by: nweaver

Originally posted by: Rilex
So my PIII 850Mhz is now big iron? COOL!

compared to my PPro 120 w/32 MB ram...yes, it's big iron.

Don't make yourself sound like more of a fool than you already are. Please.

fool? I'm not the one who suggested a new box+~$600 worth of OS/Software for a solution that (imho) isn't as good as BSD's PF

 

[Rilex]

So why is it not as "good" as BSD's PF?

While not having used pf, it certainly, from this description, is no where near as capable as ISA:

Packet Filter (from here on referred to as PF) is OpenBSD's system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization.

Do you know what ISA is? It isn't just a packet filter.

 

[kamper]

Originally posted by: Rilex
Do you know what ISA is? It isn't just a packet filter.

Wtf cares? Did the op mention anything other than wanting a firewall?

 

[Rilex]

Are you saying ISA is not a firewall?

Come on guys, don't be obtuse to push your OSS agenda.

 

[nweaver]

No, I know what ISA is, I have used it before....

but there is very little ISA does, other then integrate into AD, that you cannot do easier/on lesser hardware/better then ISA. OpenBSD's PF is hands down and away the best way to manipulate packets (which, in the end, is what a firewall does). ISA requires more hardware, costs money, requires an MS OS (more money) isn't as secure (please don't start that flame war...check OpenBSD's security record) and none of the other features of ISA are mentioned by the OP. I'm not saying ISA isn't a decent product. I have used it, and have it currently in use in one of our test labs (the guy supporting it knows it, nothing else). It works, it's not that bad of software, but we are also running it on a Dell Powerapp 120 (dual 1Ghz P3's, 2 GB memory). Compare that to the many smoothwall's (not even close to functionality of raw PF, but easier then bith pf and ISA to configure) running on old P2 400's with 128-256MB memory.

Not to mention, can you run ISA off a flash card? Can with M0n0 and BSD.

 

[Rilex]

But none of the products you've mentioned are application-based firewalls. They don't carry a portion of the feature set that ISA does.

And ISA is a very secure product...In fact, I don't think there is one vulnerability posted for 2004.

As for configuration, ISA 2004 had some steps that were not so obvious, but ISA 2006 makes it dead simple.

 

[Goosemaster]

Originally posted by: Rilex
But none of the products you've mentioned are application-based firewalls. They don't carry a portion of the feature set that ISA does.

And ISA is a very secure product...In fact, I don't think there is one vulnerability posted for 2004.

As for configuration, ISA 2004 had some steps that were not so obvious, but ISA 2006 makes it dead simple.

You are opening a can of worms here bub....it all depends on what layers you want to manage. Pfsense/m0n0wall and msot are layer 3, and that is fine for msot people who use a layer 7 type software package at each pc.

For layers 4 and and able , you will need a lot of cpu power. We start getting into the realm of astaro, isa, and others.


I would tell the OP to try out pfsense on box. It is basically m0n0wall but with the new distro plus a bunch of features that our puny soekris's can't handle . IIRC it supports multiple WANs, load balancing etc.

 

[RebateMonger]

The choice of a firewall depends a lot on what you are trying to control:

Inbound packets, but just want to block certain ports or limit their source?
Inbound packets, but want to pre-scan them for known attacks?
Control outbound traffic (from employees)?
Control encrypted traffic (either inbound or outbound)?

As the control requirements increase, so does the complexity of the software and the CPU requirements.

I think I just repeated what Goosemaster said.

 

[Goosemaster]

Originally posted by: RebateMonger
The choice of a firewall depends a lot on what you are trying to control:

Inbound packets, but just want to block certain ports or limit their source?
Inbound packets, but want to pre-scan them for known attacks?
Control outbound traffic (from employees)?
Control encrypted traffic (either inbound or outbound)?

As the control requirements increase, so does the complexity of the software and the CPU requirements.

I think I just repeated what Goosemaster said.

except that no one listens to me so :beer: