Through out my attempts to build implement a firewall I went through quite a few different possibilities. So what will I do purchase of a commercial firewall appliance, a higher end router with extended firewall features, or building my own on a computer? After a great deal of research and debate I decided to build my own firewall using one of the open source Linux distros. So I tested several Pfsense, Endian, IPCop, Smoothwall, and IPFire. I primarily did this with virtual machines to start with and then would progress on to hardware and testing.
In my testing I came across an IPFire image for a Raspberry Pi. Me being an R Pi enthusiast I decided to test it out. I know the R Pi only has a 10/100 and only has on NIC but was willing to give it a try. Believe it or not I installed the image and used a USB Gigabite NIC for the internal network interface. I ran this for about 2 months and it worked well. The only thing I couldn’t run was Snort because it made my R Pi lockup. Then my ISP was going to increase the speed of my WAN connection so the R Pi just didn’t have enough horse power to handle the 300Mbps speeds. It would only allow 30Mbps through. So I had to get new hardware to make this work. I am all about saving electricity so I was not willing to run a full desktop, and I didn’t want to dedicate one of my laptops to this. Finally at one of my favorite computer store I found a Gigabyte Brix micro computer in the clearance bin. I thought this would be worth a shot for the new firewall hardware. I know the store part if this is long so I will get into the build now.
The Brix doesn’t come with a hard drive and I found that the SATA connector inside the machine will not spin a standard hard drive. So you will need an SSD plus you will want the improved speed to keep the bandwidth loss to a minimum. Here is the specs of the device I picked up.
- Features 22nm Intel® Celeron N2807 to deliver to the most intuitive and integrated operating systems in the world
- Supports 2.5” thickness 7.0/9.5mm Hard Drives (1 x 3Gbps SATA2)
- Ultra compact PC design – 0.69L(56.1x 107.6 x 114.4mm)
- 1x SO-DIMM DDR3L 1.35V Slots (1333 MHz)
- Preinstall IEEE 802.11 b/g/n Wi-Fi / Bluetooth 4.0 Mini-PCIe card
- Supports dual displays via a VGA and a HDMI port
- Gigabit LAN
- Audio jack (Headphone/MIC)
- VESA mounting bracket (75 x 75mm + 100 x 100mm)
- Supports Fan less design
So this device needs a hard drive,a memory stick, and a USB NIC to make it work for a firewall. I had all of these parts laying around so it was nothing for me but should be remembered if you are going to do something similar. I already had experience with IPFire and I liked it so I used the same OS for this firewall build. Here are the requirements for IPFire.
- Intel Pentium I (i586)
- 512MB RAM and
- 2GB hard drive space
- 2 NICs
So I installed an 60G SSD and 4 Gigs of memory into my micro PC to do my testing. I also needed and external CDROM drive to install the OS. IPFire’s current version at the time I am writing this is 2.17 update 93. Installation is pretty straight forward and you can get all the help you need from their wiki at http://wiki.ipfire.org/en/start .
Once the OS is installed it will finish with a setup script that It has you picj which adapter are for the Red and Green side of the network. I chose the USB NIC to be the Red interface because if it failed I would still have internal network. The USB is also on a USB 3 interface so I have more than enough speed for the WAN connection. I know that it is better to have a machine with 2 internal NICs but that would increase my expense from around $200 to closer to 3 or 4 hundred dollars. Here is what the install script looks like.
If you have a the need for additional interfaces such as a DMZ or WiFi interface, IPFire does support this as well.
|Red||WAN||External network, Connected to the Internet (typically a connection to your ISP)|
|Green||LAN||Internal/Private network, connected locally|
|Orange||DMZ||The DeMilitarized Zone, an unprotected/Server network accessible from the internet|
|Blue||WLAN||Wireless Network, A separate network for wireless clients|
You can re-run this setup at anytime if you want to make NIC changes by typing setup in a terminal on the firewall itself. Once you are up and running you can log in to the web interface by typing https://<green NIC IP>:444 . Here you can access all of the additional settings and information that the firewall has. I like the reports that it has and the fact that you can expand the function of the firewall if you want. The interface has themes as well but I use the default on. More specifics on the interface and setup can be found her http://wiki.ipfire.org/en/configuration/start . Below are pics of the web interface.
The only additions I made was activating SNORT and using the Guardian script to make it more of an IPS not an IDS. I also install the email addon to have the firewall email me reports and when it blocks or unblocks things. All I did was add a statement into the scripts that would make it email me when it was executed. So I get a lot ofemails from the firewall but I like it that way. You install addons using pakfire. The list is quite extensive and can be found at the at http://wiki.ipfire.org/en/addons/start .
Guardian is a perl script that goes through the SNORT logs and the blocks IPs that have 5 violations. It blocks them for 24 hours. This is where setting up the SNORT rules becomes important. If you don’t you may find yourself locked out of you own firewall or blocking good traffic as well as unwanted traffic. You need to realize that all addons require processor time and may cause some loss of bandwidth going through the firewall. My WAN connection from the modem is 329Mbps. Going through the firewall with SNORT running I get 242Mbps. My Brix micro PC is idle 96% of the time so I am not coming even close to maxing out this system. But hardware and addons need to be thought through to insure you get as much bandwidth as possible. If I disable SNORT my bandwidth increase to around 260Mbps.
You will also have to setup you firewall access as well. IPFire uses iptables as the firewall and can be a little tricky to setup if you are not use to setting up firewall rules. This can be done with the web interface and a guide to do this can be found at http://wiki.ipfire.org/en/configuration/firewall/rules/start . I had to do some trial and error to get everything setup correctly, but once it was setup it functioned perfectly.
I know I have been pointing to a lot of web pages for setup info but if I put it all in here this would be about 50 pages long. I ran this for a few months and am happy with the performance and love the reports that it produces. It will give you a roll up report of all activity the previous day but it can be a little cumbersome to read through. But you can go to each of the individual reports in a GUI format and look at activity for any day that the firewall has been running. Some of the reports are shown below.
These are default image I got from the internet not my network but this is what it looks like for the firewall traffic (bottom) and IPs that have connected to the firewall (above). I truly wanted a firewall so I could get these type of report of network activity on my network. So this may not be the path that most people want to take but I tried a few commercial router/firewalls that were in my price range and found them to be crap. The would cause a large bandwidth drop and the firewall was not as configurable. Plus the logs were all text and you would have to read through them and try to figure out what they were doing.
My cheep hardware setup was pretty simple to put together and works very well. I like IPFires interface and there forums have a great deal of good information in them. So if you are looking for a firewall without all of the crazy costs that come with commercial ones. This may be a good option for you. It does require some knowledge of Linux but not to expert or even intermediate level. You can run this from the web interface and never really need to access it through a terminal. So give it a shot and let me know if I can help in your testing.