Linux Based Firewalls

brian lists at karas.net
Fri Nov 14 09:25:05 EST 2003 

On Fri, 2003-11-14 at 07:46, Sharpe, Richard wrote:
> Hi all
>  
>     We are attempting to find a Enterpise strength Firewall, so far
> Smoothwall has been evaluated and we found that SuSE's Firewall on CD
> is not sold in the US, do any of you have any favorites to recommend ?
> I would feel better hearing what this group has to say instead of
> sales people.

You could write a book on this :)

Enterprise means so many things to so many different people.  Here is my
"Enterprise":
	Corporate/wholesale ISP serving DS3, T1 and DSL circuits, and providing
co/lo services to large and small sites/customers.

We do a lot of "firewalling" with cisco ACL's.  It drops packets right
at the router and allows for very flexible configuration/customization. 
If you're comfortable with IOS (and have Cisco gear currently) you might
want to give this a good look.

The majority of our firewalls for dedicated customers are SonicWalls. 
Some of these are customer-provided, and some are installed based on our
recommendation.  Overall the Sonic is a Good product, I hesitate to call
it great, but I think the bigger problem is just that people sometimes
try to use them in situations that call for something a little beefier. 
They don't seem to like more than about 6000 connections (Pro 300's),
which means a worm/virus infection can bring your firewall down.  (of
course, everyone always keeps all patches up to date so this is never a
problem...)

I've also been looking at some linux-based firewalls, Mandrake MNF for
one.  I like MNF a lot, it has a lot of nice built-in features, and a
nice (enough) GUI.  But the truth is that for an "enterprise" I want
something a little more, with a vendor I can call 24x7 for support, and
with a larger installed based.  I'll probably deploy the MNF for some
internal private-net stuff, and/or for some of my sandbox servers, but I
don't fully feel comfortable sticking it in front of customer equipment
yet.  There is also the Cisco PIX, with is kinda linuz-based, but I
haven't done much with that box.

My first-level recommendation would be to not use a linux firewall just
to use a linux product.  Evaluate your needs first (maybe you already
have).  I'd feel fine enough sticking one of these firewall distro's in
front of my office network, but not in front of racks that bill for
$10,000/mo...

HTH...

More information about the gnhlug-discuss mailing list