need cheap firewall recommendation

Hi All,

I have a situation where a customer needs a cheap ($300.00-$400.00
appliance firewall. I tried the USR 8200, but it drove me nuts
trying to add custom rules (it asks things in a double negative
fashion and you can never tell what is incoming and what is
outgoing). And, it finally blew out its ROM (it can not be reset
to factory).

Does anyone have a recommendation for a replacement? One that
won't drive someone familiar with iptables crazy?

-T

If you have an old PC try:
Linux on that maschíne (free)
use iptables as firewall (free)
use fwbuilder (firewall builder) for config (free for linux/small money for
windows)
maybe you need to buy a 4port NIC like the one I use from D-Link
or plug in several old ones single port NICs ito your old PC.

HTH

Best
Juergen

"Todd and Margo Chester" <ToddMargoChester@invalid.com> schrieb im
Newsbeitrag news:e6tg0b$7h6$1@nntp.aioe.org...
> Hi All,
>
> I have a situation where a customer needs a cheap ($300.00-$400.00
> appliance firewall. I tried the USR 8200, but it drove me nuts
> trying to add custom rules (it asks things in a double negative
> fashion and you can never tell what is incoming and what is
> outgoing). And, it finally blew out its ROM (it can not be reset
> to factory).
>
> Does anyone have a recommendation for a replacement? One that
> won't drive someone familiar with iptables crazy?
>
> -T

If you are going to do it that way, then for $400 you could build yourself a
new PC, as long as you skipped all the stuff you don't need eg graphics
card, big hard disk etc.

Juergen Loewner wrote:

> If you have an old PC try:
> Linux on that maschíne (free)
> use iptables as firewall (free)
> use fwbuilder (firewall builder) for config (free for linux/small money
> for windows)
> maybe you need to buy a 4port NIC like the one I use from D-Link
> or plug in several old ones single port NICs ito your old PC.
>
> HTH
>
> Best
> Juergen
>
> "Todd and Margo Chester" <ToddMargoChester@invalid.com> schrieb im
> Newsbeitrag news:e6tg0b$7h6$1@nntp.aioe.org...
>> Hi All,
>>
>> I have a situation where a customer needs a cheap ($300.00-$400.00
>> appliance firewall. I tried the USR 8200, but it drove me nuts
>> trying to add custom rules (it asks things in a double negative
>> fashion and you can never tell what is incoming and what is
>> outgoing). And, it finally blew out its ROM (it can not be reset
>> to factory).
>>
>> Does anyone have a recommendation for a replacement? One that
>> won't drive someone familiar with iptables crazy?
>>
>> -T

On 2006-06-16, Todd and Margo Chester <ToddMargoChester@invalid.com> wrote:
> Does anyone have a recommendation for a replacement? One that

Have a look at 'm0n0wall' http://m0n0.ch/wall/

Cheap, easy to setup and maintain, runs on old PC hardware or
Wrap/Soekris boards, may be installed on HD/CF but also runs
from CD.
Very good support through users, etc.

Uli

--
Democracy is two wolves and a lamb voting on what to have for
lunch. Liberty is a well-armed lamb contesting the vote.

Uli Wachowitz wrote:

> On 2006-06-16, Todd and Margo Chester <ToddMargoChester@invalid.com>
> wrote:
>> Does anyone have a recommendation for a replacement? One that
>
> Have a look at 'm0n0wall' http://m0n0.ch/wall/
>
> Cheap, easy to setup and maintain, runs on old PC hardware or
> Wrap/Soekris boards, may be installed on HD/CF but also runs
> from CD.
> Very good support through users, etc.

I like IPCop.

http://www.ipcop.org/

Although these days even the cheapest of ADSL/Cable routers provide NAT,
port blocking and port forwarding, a better solution might be to use one of
them and soft firewalls on the clients.

C.

> I have a situation where a customer needs a cheap ($300.00-$400.00
> appliance firewall. I tried the USR 8200, but it drove me nuts
> trying to add custom rules (it asks things in a double negative
> fashion and you can never tell what is incoming and what is
> outgoing). And, it finally blew out its ROM (it can not be reset
> to factory).

Secondhand PC running a minimal Fedora Core or Debian etc
and Shorewall plus Tripwire. I've just configured shorewall on a
RHEL4 system and liked the power of the tool. You can
re-create the firewall on another linux box with config files on
a floppy if need be. It's definitely a good tool to have in your
back pocket.

Don

Hi Christopher, Juergen, Don & Blah,

Their are three things that mitigate against a
linux box solution. (And, I'd dearly love to use it,
as I disdain such appliances.)

1) power. It needs to be in the 20 watt range, not 200
to 300 watts

2) space. There is a severe space limitation. It needs
to be small

3) no moving parts to wear out. This means no fans
to be replaced every two to three years (even ball
bearing fans wear out) and no hard drives

Which makes you guys the perfect individuals
to ask this question. If you had to hold your nose,
which cheap, firewall appliance would you choose?
(One that does not drive someone familiar with
iptables too crazy.)

Thanks,
-T

Todd and Margo Chester wrote:
> Hi All,
>
> I have a situation where a customer needs a cheap ($300.00-$400.00
> appliance firewall. I tried the USR 8200, but it drove me nuts
> trying to add custom rules (it asks things in a double negative
> fashion and you can never tell what is incoming and what is
> outgoing). And, it finally blew out its ROM (it can not be reset
> to factory).
>
> Does anyone have a recommendation for a replacement? One that
> won't drive someone familiar with iptables crazy?
>

CyberGuard SG-series (nee SnapGear) runs Linux and iptables. There's a
web-baased front-end but you can add your own iptable rules. There are
various models and prices, starting with the SoHo-class SG-300.
--
Sak Wathanasin
Network Analysis Limited
http://www.network-analysis.ltd.uk

Sak Wathanasin sez:
> Todd and Margo Chester wrote:
>> Hi All,
>>
>> I have a situation where a customer needs a cheap ($300.00-$400.00
>> appliance firewall. I tried the USR 8200, but it drove me nuts
>> trying to add custom rules (it asks things in a double negative
>> fashion and you can never tell what is incoming and what is
>> outgoing). And, it finally blew out its ROM (it can not be reset
>> to factory).
>>
>> Does anyone have a recommendation for a replacement? One that
>> won't drive someone familiar with iptables crazy?
>>
>
> CyberGuard SG-series (nee SnapGear) runs Linux and iptables. There's a
> web-baased front-end but you can add your own iptable rules. There are
> various models and prices, starting with the SoHo-class SG-300.

However, read the small print very carefully before buying any
of those. We bought a NetScreen (their basic models start at ~$300,
too) and later discovered that without a support contract you're
allowed one firmware upgrade in the first 90 days.

So NetScreen is the one I don't recommend.

Dima
--
Well, lusers are technically human. -- Red Drag Diva