[RndTbl] Main firewall / router for public facing subnet

Alberto Abrao alberto at abrao.net
Mon Mar 30 17:42:30 CDT 2020

Right now I have the servers on their own and my internal network is 
routed using an OpenBSD box.

Doing it for a single external IP is manageable to me, the thing is the 
leap in doing it for multiple public IPs. I do know I have some heavy 
reading ahead, and I look forward to it. Any recommendations are very 
much appreciated.

I did what you mentioned with a multi-function CentOS machine for the 
longest time, then when I got multiple static IPs I decided to route my 
internal network with Debian. After a while, decided to try 
IPFire/pfSense/OPNsense, but it wasn't long until I got tired of the 
GUI. So Adam mentioned OpenBSD is the thing if you want security, and 
I've been looking for ways to get my feet wet on the BSDs besides 
purpose-built ready-to-go packages such as *sense. And here I am.

I used to do one-box-for-everything as well, mostly because I didn't 
have a lot of equipment to begin with. However, I see lots of people 
talking about security, and I can see having things on separate places 
reduces the impact if any of them were to be breached. Also, I am kind 
of OCD with my hardware. It sucked having my wife screaming on one side 
and family calling on the other because I knocked off the lone box 
whenever I wanted to dust its fans. At least now I can pick my battles =D

Alberto Abrao

On 2020-03-30 5:04 p.m., Trevor Cordes wrote:
> You can do all this with Linux quite easily. It's a bit to delve into,
> though, if you want to handle and route multiple IPs, NATing some, etc.
> The interface, iptables and route stuff will start to get complex.
> But then you get fun features like qos (tc command), like you said.
> I'd say find a way to start slow.  Like start making your
> single-connection-point firewall first without putting any boxes behind
> it.  Then move them behind it one by one as you add more
> setups/features to the firewall.
> Some will say use OpenBSD for all of this, but I say use Linux.  Or,
> more accurately, use what you know and are good at.  It'll be easier to
> get a grasp of things if you're already partway there.
> Also, I always recommend "rolling your own" using basic utilities
> rather than using some pre-made "simple" firewall/router distro.  But
> that's mostly because I like my boxes to serve many duties, not one
> just for firewall, one just for NAS, etc.  Plus, you learn more doing
> it yourself, and have ultimate flexibility.  With a purpose-made distro
> you'll eventually run into something you want to do that it can't.
> My 2c.  YMMV!
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable

More information about the Roundtable mailing list