OT: disappointed with the firewall distros I’ve looked at

We’ve been looking at building a gateway/firewall machine, with load balancing, failover, and many other nice features. For security purposes, we’ve wanted to run it in a very particular way.

All the distributions we’ve tried: clearOS, Vyatta, Endian, IPFire, Zentyal … all of them … sorta … kinda … did what we wanted. Sorta. Kinda.

But not quite.

ClearOS never worked. I mean it installed, configured, but it could never pass packets correctly. We tried, but it failed.

We were assured Vyatta could do what we wanted. And when we looked into it more, sure enough, the multi-wan load balancing/fail over is a planned feature.

Endian FW also has what we want. As a planned feature. IPFire as well.

Zentyal was recommended and we tried it. And it also failed to pass packets. It could figure out how to light up both interfaces so pings worked. But it couldn’t seem to figure out how to pass port 22 from an interface to a specific machine.

So here we are, with ~15 hours invested, and nary a working firewall distro to replace our aging unit. The appliance route is looking better and better.

I am guessing that these make for great small business servers. They don’t do so well as firewall/router/gateways though, for anything more complex than a single wire in and a single wire out, with no internal services.

So I guess I am going the appliance route again. This time, I need to see benchmark data. We have some nice bandwidth coming in, would be nice to be able to use it all.

Viewed 13499 times by 3539 viewers

9 thoughts on “OT: disappointed with the firewall distros I’ve looked at

  1. I’m not sure what you want to achieve, but planing, installing, testing and working out all the kinks from a new firewall surely takes longer than 15 hours. We just did that recently and it took us about a week of evaluating the current available distributions, some two days for testing, a day of deploying and maybe another half a day working out the last kinks.

    We’ve set up a 2-node firewall cluster with 2 WAN links, running on IBM HS21 blades. It works pretty good so far. We seperated our traffic into three zones and about 6 different networks/VLANs.

    In case you’re interested, we went for pfsense (http://www.pfsense.org/). Except for some esoteric transparent proxy feature we wanted to use, it works like charm.

    Anyways, good luck with that –
    Alex.

  2. @Alexander

    Its fairly easy to test basic functionality without great effort. We try with a single port forward effort. If this works, we go onto the deeper evaluation. If the firewall can’t even pass basic packets, there is no reason to look any further.

    Spent 8 hours with ClearOS. 1 hour with Vyatta, 1 with Endian, etc, until we got to Zentyal. Spent 5 hours with that. Once we understood the basic operations, we follows their procedures to set it up. Got to where we thought we should have. Then tried to do the next steps of getting 1 specific test service working. Sadly, it didn’t work.

    Honestly, i suspect that we are running into an issue of too-many features. The firewall/router gets in the way of the other bits. And vice versa.

    Oddly, we didn’t look at pfsense. Will do this now. Maybe (because its more focused) it will do the job right.

  3. A basic Linux box with iptables + haproxy + squid doesnt work for you? I run one of these on the back of a 40mbit bonded DSL connection and its fantastic. Transparent proxying, port forwarding, acceleration for our internal sites, DMZ.

    15 hours would have been plenty of time to read man pages etc and just configure it 😉

  4. We’re very happily using several failover pairs of OpenBSD + pf + carp. It is incredibly featureful, and only as complex as it needs to be.

    A firewall is not something where you want to be shielded from the complexity, unless your needs are very very typical.

  5. @Mark

    Yeah … but I need people whom are … erm … less familiar with ip route command line args to be able to manage it when I am not around and we need something specific to be done. Hence GUI packages.

    Will look more at pfsense. Reading some of the bits, it looks like it will do what we want, and pretty painlessly at that. Does GUI and command line. No extra things to get in the way.

  6. @Luke

    We are looking at pfsense now. Roughly a specific version of OpenBSD + pf . Carp is built in I think. We are after the admin gui for the people who will need this.

  7. @Gavin

    Yes … but my point is that I need a nice GUI for other people to use. I don’t mind crafting my own IPTables rules. I don’t want others to try this, if they aren’t intimately familiar with all aspects of what can go wrong, and how to fix it.

Comments are closed.