|
| |
|
|
|
|
|
|
| |
|
|
Q: A Linux router sounds great, but I don't want to build my own from scratch. Are there any prebuilt firewall systems available?
A: Yes! This is not exactly a new field and there are lots of professionally developed options. Among the most notable are Smoothwall: http://www.smoothwall.org, IPCop: http://www.ipcop.org, and ClarkConnect: http://www.clarkconnect.org. All of these are quality Linux-based operating systems designed for use as network firewalls/routers/gateways. |
|
Q: I have a wireless firewall and I don't want to give up my wireless for a Linux router! What can I do?
A: Easy, keep it! I currently run a Linksys Wireless G firewall/router behind my Linux firewall as a wireless access point. They key is to just ignore the firewalling capabilities of the wireless routers. Turn off its DHCP and firewall services via the management interface. Then connect the gateway and your host machines on the general switching ports...this allows your wireless devices to continue functioning as a wireless access point and leaves the power lifting to your Linux box. |
|
Q: So what is the advantage of those commercial hardware firewalls that cost so much more?
A: As I point out in the introduction, Linux firewalls have lots of benefits...power, flexibility, and low cost at the top of the list. Just like everything else in computing, however, it's not a perfect solution.
Most hardware firewalls perform at least some, if not most, of their functions using ASICs (Application Specific Integrated Circuits). ASICs perform system operations in physical circuits rather than in software, making it possible to process data at raw hardware speed. When you're running an internet backbone or the core routing for a major corporation, this kind of raw speed is important. When you're running a home or small office connection via broadband, or even an average LAN connection, you will never reach the kind of network speeds where you'll notice a difference. I've maxed out the LAN connection at my college residence without noticing a performance hit on my Linux gateway.
In a similar way, the software involved is also an issue. Linux is basically a general purpose operating system, meaning even with customization you've got at bare minimum application software running on top of an operating system, which is a potentially unnecessary layer of abstraction. A dedicated network device on the other hand may run software designed specifically for that device. This often improves stability and performance since the entire OS is designed specifically for the hardware. Don't be fooled though...many consumer devices, such as the Linksys WRT54G series wireless firewalls...run a Unix derived operating system under the hood. I personally run custom Linux kernels on all my routers to maximize speed and efficiency and eliminate overhead. |
|
Q: How about providing the guide in a single file format?
A: Now, by popular demand, a PDF version is available! Keep in mind that the quality may not be as good as the actual web version, but it's better than nothing. :) |
|
Q: Can one of these firewalls be run with a GUI? Why don't you add a GUI to your installation?
A: GUIs are wonderful for workstations, but as any Linux/Unix administrator worth their salt will tell you, a GUI doesn't really belong on a network device. This is a very common topic in server administration, and it applies to firewalls and routers too. Of course you can run any GUI you want on your system. But when it comes down to it, a firewall (or server) is not meant to be interacted with on a regular basis. After configuration, they usually just facelessly perform their given functions. So for that 98% of the time that no one is using the user interface, it's doing nothing more than wasting memory and sucking up processor cycles better used elsewhere. |
|
Q: What about webmin?
A: Same principle as above, basically. You really don't need a graphical interface to get the job done, and the servers required to run it just waste computing power and resources. Not to mention the fact that if you intend to use it remotely over the internet, you may be exposing yourself to a serious security threat! So of course, use it if you want it, just know the possible consequences. |
|
Q: Is this a stateful firewall?
A: Yes, starting with Linux kernel 2.4 the netfilter/iptables package has provided stateful packet filtering capabilities. Since this tutorial assumes that iptables is in use with either kernel 2.4 or 2.6, your firewall will have full stateful packet filtering ability. |
| |
|
| Back to the Table of Contents |
|
|
|
|
|
|
|
|
