[RndTbl] Main firewall / router for public facing subnet
alberto at abrao.net
Mon Mar 30 17:42:30 CDT 2020
Right now I have the servers on their own and my internal network is
routed using an OpenBSD box.
Doing it for a single external IP is manageable to me, the thing is the
leap in doing it for multiple public IPs. I do know I have some heavy
reading ahead, and I look forward to it. Any recommendations are very
I did what you mentioned with a multi-function CentOS machine for the
longest time, then when I got multiple static IPs I decided to route my
internal network with Debian. After a while, decided to try
IPFire/pfSense/OPNsense, but it wasn't long until I got tired of the
GUI. So Adam mentioned OpenBSD is the thing if you want security, and
I've been looking for ways to get my feet wet on the BSDs besides
purpose-built ready-to-go packages such as *sense. And here I am.
I used to do one-box-for-everything as well, mostly because I didn't
have a lot of equipment to begin with. However, I see lots of people
talking about security, and I can see having things on separate places
reduces the impact if any of them were to be breached. Also, I am kind
of OCD with my hardware. It sucked having my wife screaming on one side
and family calling on the other because I knocked off the lone box
whenever I wanted to dust its fans. At least now I can pick my battles =D
On 2020-03-30 5:04 p.m., Trevor Cordes wrote:
> You can do all this with Linux quite easily. It's a bit to delve into,
> though, if you want to handle and route multiple IPs, NATing some, etc.
> The interface, iptables and route stuff will start to get complex.
> But then you get fun features like qos (tc command), like you said.
> I'd say find a way to start slow. Like start making your
> single-connection-point firewall first without putting any boxes behind
> it. Then move them behind it one by one as you add more
> setups/features to the firewall.
> Some will say use OpenBSD for all of this, but I say use Linux. Or,
> more accurately, use what you know and are good at. It'll be easier to
> get a grasp of things if you're already partway there.
> Also, I always recommend "rolling your own" using basic utilities
> rather than using some pre-made "simple" firewall/router distro. But
> that's mostly because I like my boxes to serve many duties, not one
> just for firewall, one just for NAS, etc. Plus, you learn more doing
> it yourself, and have ultimate flexibility. With a purpose-made distro
> you'll eventually run into something you want to do that it can't.
> My 2c. YMMV!
> Roundtable mailing list
> Roundtable at muug.ca
More information about the Roundtable