[RndTbl] Main firewall / router for public facing subnet

Adam Thompson athompso at athompso.net
Mon Mar 30 17:33:57 CDT 2020

On 2020-03-30 17:04, Trevor Cordes wrote:
> On 2020-03-30 Alberto Abrao wrote:
>> I have the feeling that's redundant. That, and having a main router
>> in front of them would help me set up things such as QoS and a
>> central firewall.

> I'd say find a way to start slow.  Like start making your
> single-connection-point firewall first without putting any boxes behind
> it.  Then move them behind it one by one as you add more
> setups/features to the firewall.


> Some will say use OpenBSD for all of this, but I say use Linux.  Or,
> more accurately, use what you know and are good at.  It'll be easier to
> get a grasp of things if you're already partway there.

That's true, assuming you don't think IPTables/NFtables is some 
Lovecrraftian nightmare that needs to be killed with fire.

My personal preference is to use pfSense, as it provides a good balance 
between a helpful GUI, access to the OS if needed, performance, 
flexibility, etc.  It's not perfect, but it's a good starting point if 
you have a clue what you want to do.  There are quite a lot of pfSense 
users here, most lurk.

> Also, I always recommend "rolling your own" using basic utilities
> rather than using some pre-made "simple" firewall/router distro.  But
> that's mostly because I like my boxes to serve many duties, not one
> just for firewall, one just for NAS, etc.  Plus, you learn more doing
> it yourself, and have ultimate flexibility.  With a purpose-made distro
> you'll eventually run into something you want to do that it can't.

While true, security best-practice says to never do more than one thing 
on your firewall in the first place.  There's always an exception to 
that rule, but not being *able* to install Samba on your firewall might 
be a good thing...


More information about the Roundtable mailing list