[RndTbl] Main firewall / router for public facing subnet
athompso at athompso.net
Mon Mar 30 17:33:57 CDT 2020
On 2020-03-30 17:04, Trevor Cordes wrote:
> On 2020-03-30 Alberto Abrao wrote:
>> I have the feeling that's redundant. That, and having a main router
>> in front of them would help me set up things such as QoS and a
>> central firewall.
> I'd say find a way to start slow. Like start making your
> single-connection-point firewall first without putting any boxes behind
> it. Then move them behind it one by one as you add more
> setups/features to the firewall.
> Some will say use OpenBSD for all of this, but I say use Linux. Or,
> more accurately, use what you know and are good at. It'll be easier to
> get a grasp of things if you're already partway there.
That's true, assuming you don't think IPTables/NFtables is some
Lovecrraftian nightmare that needs to be killed with fire.
My personal preference is to use pfSense, as it provides a good balance
between a helpful GUI, access to the OS if needed, performance,
flexibility, etc. It's not perfect, but it's a good starting point if
you have a clue what you want to do. There are quite a lot of pfSense
users here, most lurk.
> Also, I always recommend "rolling your own" using basic utilities
> rather than using some pre-made "simple" firewall/router distro. But
> that's mostly because I like my boxes to serve many duties, not one
> just for firewall, one just for NAS, etc. Plus, you learn more doing
> it yourself, and have ultimate flexibility. With a purpose-made distro
> you'll eventually run into something you want to do that it can't.
While true, security best-practice says to never do more than one thing
on your firewall in the first place. There's always an exception to
that rule, but not being *able* to install Samba on your firewall might
be a good thing...
More information about the Roundtable