[RndTbl] Main firewall / router for public facing subnet

Trevor Cordes trevor at tecnopolis.ca
Mon Mar 30 17:04:24 CDT 2020

On 2020-03-30 Alberto Abrao wrote:
> I have the feeling that's redundant. That, and having a main router
> in front of them would help me set up things such as QoS and a
> central firewall.
> I am used to doing this for simple NAT duties, but this time I would 
> have a router managing public facing IP addresses.

You can do all this with Linux quite easily.  It's a bit to delve into,
though, if you want to handle and route multiple IPs, NATing some, etc.
The interface, iptables and route stuff will start to get complex.

But then you get fun features like qos (tc command), like you said.

I'd say find a way to start slow.  Like start making your
single-connection-point firewall first without putting any boxes behind
it.  Then move them behind it one by one as you add more
setups/features to the firewall.

Some will say use OpenBSD for all of this, but I say use Linux.  Or,
more accurately, use what you know and are good at.  It'll be easier to
get a grasp of things if you're already partway there.

Also, I always recommend "rolling your own" using basic utilities
rather than using some pre-made "simple" firewall/router distro.  But
that's mostly because I like my boxes to serve many duties, not one
just for firewall, one just for NAS, etc.  Plus, you learn more doing
it yourself, and have ultimate flexibility.  With a purpose-made distro
you'll eventually run into something you want to do that it can't.

My 2c.  YMMV!

More information about the Roundtable mailing list