dear firewall gurus, for my testlab i'm looking for a (linux) firewall to create a dmz. i have a few unused intel-boxes. maybe i can use them to build a dedicated firewall-appliance. any suggestions. it's doesn't matter if its free :-))
What kind of DMZ do you want to build? There are two basic setups for a DMZ:
WAN --- Firewall_1 --- DMZ --- Firewall_2 --- LAN
WAN --- Firewall --- LAN | DMZ
On the firewall(s) you need a packet filter. In the case of Linux you'd use netfilter (the packet filter included into the Linux kernel). For tutorials on netfilter see [1,2]. Basically you allow these connections on your firewall(s):
WAN -> DMZ allow WAN -> LAN deny DMZ -> WAN allow DMZ -> LAN deny LAN -> DMZ allow LAN -> WAN allow/deny depending on your policy
Traffic related to the above connections: allow
These very basic DMZ setups can be enhanced/modified in many different ways, e.g. by adding layer7-filtering [3] to the firewalls, putting proxies (e.g. Squid [4]) into the DMZ, setting up bastion hosts, etc.
However, the matter is far too complex to cover more than the very basics in one newsgroup post. I suggest you read a good book on firewalls (e.g. [5]) to get you started.
is a small Linux distribution (live cd or compactflash image). It has a SPI and packet filter image. It supports captive portal to authenticate the users by using a web browser and radius server too.
at the risk of getting flamed, i recommend openbsd for a litewgt firewall. its firewall, pf, is imho easy to set up and get going. and the documentation for it is second to none, again imho.
opinion: o-pinyun noun 1: belief 2: judgment 3: formal statement by an individual
Yeah, but it's only one of many that are available. I've tried over twenty, and the biggest differences were the user interface. Personally, I'm using a stripped kernel and simple script which is more versatile though admittedly requiring more skill. Hit
So, why do you believe other firewalls (esp. custom-made firewalls running Linux) are not good? What exactly makes Astaro better? Besides, why do you believe that the products of this company come even close to the OP's requirements ("build a linux-based firewall w/ DMZ on a few unused Intel-boxes")?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.