Matt Mossholder on 3 Jul 2017 12:13:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall choices for a small software development business

If you aren't hosting services, then anything will work, as long as they can keep up with the amount of traffic. And as long as you don't want additional functionality like IDS/IPS, or web caching.

You should probably add pfSense or OPNSense to your list of software candidates as well. 


On Mon, Jul 3, 2017 at 7:10 PM, K.S. Bhaskar <> wrote:
Thanks, Casey. I don't plan to run any services because I really want to focus on software development, at least for now. I'm hosting e-mail at, and also use their SMTP service. So far, they have done a good job.

All, as a post-script to my earlier request: for inbound ssh or VPN for the developers how reliable is that with a dynamic IP address (and a service like DynDNS)? Or should I go for a static IP address? Thanks.

-- Bhaskar

On Mon, Jul 3, 2017 at 2:57 PM, Casey Bralla <> wrote:
On Monday, July 3, 2017 2:40:05 PM EDT K.S. Bhaskar wrote:
> Both Comcast and Verizon are available on the building, and I haven't
> chosen one.
> This e-mail is to solicit opinions about a firewall.
> It seems to me there are three choices:
>    - Buy a router (discussed on the list recently), or perhaps
>    ​flash ​an existing router from OpenWRT 12.09 to a newer release.
>    - Get a dedicated PC and:
>    ​​
>    - run a specialized distro like IPFire or ClearOS; or
>       - run a general distro like Debian Stable and a firewall like
>       Shorewall.
> Comments, suggestions, and recommendations welcome. Thanks in advance.

I have a comcast business account.  As far as I can tell, they don't filter
anything (which I like).   You didn't say what internet services (if any) you
intend to provide, but I provide DNS, eMail, and Web servers.  I therefore set
up Shorewall on a stable Debian system with 3 interfaces (Internet, DMZ for
the servers, and Local for internal use).

I chose Debian because I am familiar with it and that removes one complication
from the setup.

I found Shorewall VERY easy to setup and customize.  Their online docs are
excellent, with lots of examples that mimic my setup.  The only problem I
faced was mapping my NICs to eth0, eth1, & eth2 after I had replaced them
with gigabit devices on a running system and all the assigned names changed.

BTW, I did have problems with outgoing SMTP mail.  Many recipient servers
block whole ranges of IP addresses to prevent spam, and my IP was within one
of those ranges.  This meant that some of my outgoing eMails were simply
dropped, and I never knew it.   I therefore relay all my outgoing eMails
through comcast.  They allow up to 1,000 eMails per day outgoing, which has
always been plenty for me.

Good luck!


Casey Bralla
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --