Low power mini-itx system for firewall

Steve Chapel:

Why not just buy a firewall?

If you must build, a hard drive is not necessary. You can run a firewall from a cd-rom or thumb drive.

I'm running 'Bering Leaf' on an old 400 Meg Celeron from a CF card. Even the Celeron is overkill - a 100 Meg Pentium 1 is adequate. The firewall is iptables configured by Shorewall.

Jim Ford

That's a valid question. The consulting company I'm working with recommended using a generic PC with several Ethernet ports as a firewall. In a recent Slashdot article many readers suggested the same thing. Buying fairly generic hardware and installing software for specific purposes seems to be a growing trend. Similarly, we are using off-the-shelf servers with clustering software for our cluster rather than buying customized hardware, and installing Asterisk on a server instead of buying a hardware PBX. I suppose the question I would ask back is:

Why would I *want* to buy just a firewall?

I suppose I could, but having a hard disk makes the system more flexible for just a slight increase in cost. I like the idea of running full-featured CentOS (the open version of Red Hat Enterprise Linux) on relatively cheap, low-power hardware, and being able to do anything I want with the system as long as I have enough memory, CPU, and hard disk space.

I suppose I'll just have to buy a unit for use as our Internet firewall (which at 1.5 or 3 Mbps I'm sure it can handle) and evaluate for myself if it can function as a firewall between two gigabit Ethernet networks without introducing too much latency or reducing bandwidth too much.

That's what many people seem to do. The point of my original post is that such a setup is not as cost effective as it may seem at first glance. The cost of power to keep that old computer up and running 24/7 for years can add up to hundreds of dollars. FYI, you can use a Kill A Watt EZ to measure power consumption and estimate the cost of power per year.

For low power consumption you might want to have a look at micro ATX boards that support AMD Geode procs. For a quiet, low power hard drive you could use an IDE or SATA compact flash adapter. I'd also suggest some low noise CPU/case fans and power supply. If you didn't need Gb ethernet, I'd recommend the Soekris net5501 which includes an AMD Geode LX and four

100Mb ethernet ports.

-Gary

In your original post you stated:

]I've been looking for a reliable, fairly cheap ($400 to $500), very ]low-power (around 20 watt) system with 2 or 3 gigabit Ethernet ports,

A generic box that is going to be able to keep 3 gigabits hoses full is not going to be the ultra cheap box.

Apples and oranges

A firewall runs firewall code. It does not have lusers logging in and clicking on icons with one hand. So, do you want another desktop, OR do you want a firewall. The two are not the same, and if you think they are, then your understanding of a firewall is coming up short. Anything running on the firewall is a possible point of exploits, and for that reason, firewalls should have the minimum software installed to allow then to run the firewall. Anything else is increasing the risks. Thus, we don't use a generic kernel (never mind a distribution) but have compiled one for this specific hardware.

On your Linux desktop, figure out where a command line is hiding, and run the command 'top' and see what is sucking those resources. You'll likely discover that the top ten processes are all related to your GUI. Why should you be wasting those CPU cycles on a firewall that is already going to be busy enough trying to shift packets between gigabit NICs.

A lot depends on what you are expecting your firewall to be doing. Simple blocks of address or port ranges or protocols are RELATIVELY inexpensive. Content filtering is going to be horribly expensive. On top of that, you throw in gigabit speeds with unspecified traffic density which is going to be influenced by CPU and bus cycles. Trying to route between more than two interfaces is also going to complicate matters, and if latency/bandwidth is important, restricting the firewall to just two interfaces may make a significant improvement.

Yes, people do run firewalls on low power PCs. My home firewall is what is left of a 386SX-16 laptop (remember them?) that lacks a case, keyboard, or display. It's drawing around 15 VA, and obviously doesn't have the capability of running X. The networking connections are 10 MBit Ethernet, because that's twice as fast as the Internet connection (the LAN runs at 100 MBit with a switch translating between the different speeds). The firewall isn't trying to manage two (or more) high speed connections in addition to the connections to the world, so the 386 is actually sufficient. Administration of the firewall is done over the net (restricted to specific systems on the LAN only), and the serial port (see the Remote-Serial-Console-HOWTO) as a backup. What more can you expect a firewall to do?

Old guy

I am not looking for an ultra cheap box. I'm looking for a fairly cheap box. Surely there exist $400 to $500 computers that can serve as a firewall between two gigabit Ethernet networks?

I will raise the security issues you point out with my consultants. It sounds like a legitimate concern, and I'm interested in how they'll respond.

I don't plan on running a GUI. Why would I want to run a GUI on a computer that's serving as a firewall? On my cluster's frontend node I'm running CentOS. It's currently using 0.0% CPU and consuming 220 MB of RAM. A fairly cheap computer can easily have 512 MB of RAM and 40 MB hard disk, which seems plenty of resources to run CentOS. My concern about the 1.5 GHz VIA C7 systems is that the CPU is only about as fast as a 600 MHz Celeron, but the OS is not going to be consuming CPU on its own.

On our Internet connection (1.5 or 3.0 Mbps) we will be running a stateful firewall and may be doing some content filtering.

We will also need a firewall for our 802.11n wireless access point (300 Mbps). This firewall would be allowing traffic from our own laptops to get into our internet network, and allowing guest laptops to access only the Internet. I would think that this filtering would be inexpensive.

We might also want a firewall between our remotely accessible systems, such as our email and web servers, and our internal network. Both of these networks will be gigabit Ethernet. This is where I'm not sure the

1.5 GHz VIA C7 will be fast enough.

During my research I came across this paper that concludes that the Geode is only a bit faster than the VIA C7 at the same clock speed. It looks like a low-power Geode will run at 1 GHz at most, so that will probably be even slower than a 1.5 GHz VIA C7.

I'm not entirely comfortable with building my own system anyway. I'm looking for a system that is already built and tested. The most I would be willing to do is add NIC cards to a prebuilt system, or maybe add some RAM.

That 386SX I'm using has 8 Megs of RAM. But the release notes for Fedora

6 and 7 state it _requires_ 128 MB for text-mode, 192 MB for GUI, and _recommends_ 256 MB for the GUI. That's mainly because of the eye-candy tools it's using.

Most of the servers where I'm working are cast-off workstations, with the fancy video card replaced by a gutless SVGA card (text-only doesn't need horsepower), and the hard drive system replaced (our work-stations are IDE/EIDE/ATA, and our servers tend to be SCSI). Workstations tend to be high-end boxes ("my secretary _needs_ a Quad Xeon with 4 Gigs of RAM to handle my mail"), and such units would normally be severely oversized for then-current server operations.

I know the "40 MB hard disk" is a typ0 (that's not enough room for the install program, never mind the simplest install of a general purpose distribution), and that such drives are rather rare in this age, but there are _firewall_ distributions that don't even need that much.

There's the key. For a simple ("Yes/No") firewall, the bottleneck is going to be the bus between the NICs and the other crap stealing CPU cycles. With bus-mastering NICs, even an old Pentium I should be adequate. If you have the firewall doing content filtering, or running around in circles drawing pictures for some luser who should be using their own desktop for those tasks, then the CPU becomes a lot more important.

That would _probably_ be OK, as the connection allows time to do things.

Should be - the WAP is doing the hard work, and all you're going to be doing is simple routing with a Yes/No type of firewall. As an aside, we do not allow guest computers on our networks. Period. We have a completely separate network with systems in the cafeteria and employee break areas so that our employees can do personal stuff. I'm using one now to post this. On occasion, visitors have been allowed to use those computers (which are actually owned by the employee association), but that's not very common.

A lot depends on the paranoia of the setup. In our case, the only access to the DMZ _from_ the internal LAN is administrative, and limited to a few systems. Access _to_ the DMZ is similarly limited. The public mail server can only be accessed by the internal mail servers. All other connections are blocked. Systems in the DMZ can not initiate connections to the internal networks. The web server in the DMZ is for external use, and thus traffic between it and the administrative box inside is relatively light. (The web servers used internally have no need for external access. Internal use of external web servers is through a proxy.)

Old guy

Steve Chapel:

Why wouldn't you?

You seem to have an objection to every solution. No dig on you, but my suggestion would be to turn the job over to a professional

Uh, that's what we did. The professional's solution is to use a low-cost PC stuffed with a bunch of gigabit NICs with Linux installed on it.

My question is: Do you know of a low-cost *and* low-power computer for this purpose? I'm guessing your answer is "no." My only objection is that you seem to be answering a question I didn't ask. My reply is "thanks, but no thanks."

Steve Chapel:

At no point will a professional send you to the internet to do his/her job for them. Hire someone else.

I do not know of any PCs that are low cost, low power AND can fit a "bunch of NICs". Drop the low power requirement and you can build a solution for a few hundred bucks. Or there are dedicated firewalls that are low power, relatively low cost and can support your network.

The average "small" PC motherboard has two or three PCI sockets, and as you don't need an eye-candy monitor, you can get rid of that and the video card with 2 Gigs of VRAM, _perhaps_ get rid of the hard disk (you can run from a floppy, if you're not installing a "popular" distribution) and so on. And you _realize_ that you don't need a "new" system for this application.

Or you could also look at hardware designed for this task. There is a Latvian company that has been advertising in the Linux Journal named 'RouterBoard' (routerboard.com). One example of their product line is a 175 MHz MIPS32 embedded processor, 32 Megs of SDRAM, three 10/100 NICs on-board, and 3 miniPCI slots - very tiny (4.6 x 4.1 inch), for under 90 bucks in onezies. They also have models with four gigabit interfaces but they are far from being the only company in the business, and I'm not advocating or recommending this (or any other) specific vendor.

Old guy

Moe Trin:

The OP has already dismissed pretty much all the options available because they either consume too much power, the processors are too slow or won't hold enough NICs and has also dismissed a dedicated because it's 'only' a firewall yet claims he doesn't want to do anything else. In short, he's confused and doesn't know what he wants or what he needs.