Lee H. Marzke on 3 Jul 2017 19:54:37 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall choices for a small software development business


FYI - pfSense is very full featured and is completely GUI driven.   I have a dozen servers or so and
an internal and DMZ zone,  and OpenVPN zone,   and it all works without  any command line help.

So not knowing BSD has very few downsides.    The Ethernet interface names are strange,  and matching
up the name to correct interface is the only issue,  but if you buy a device , they should be marked well.

Lee


From: "K.S. Bhaskar" <bhaskar@bhaskars.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Monday, July 3, 2017 3:18:22 PM
Subject: Re: [PLUG] Firewall choices for a small software development        business
I did think about pfSense and OPNSense, but they're *BSD based, and I know my way around Linux a lot better than I do BSD familiy operating systems. So, I passed them over. Maybe I should go back and look at them… Thanks.

Regards
-- Bhaskar

On Mon, Jul 3, 2017 at 3:13 PM, Matt Mossholder <matt@mossholder.com> wrote:
If you aren't hosting services, then anything will work, as long as they can keep up with the amount of traffic. And as long as you don't want additional functionality like IDS/IPS, or web caching.
You should probably add pfSense or OPNSense to your list of software candidates as well. 

     --Matt

On Mon, Jul 3, 2017 at 7:10 PM, K.S. Bhaskar <bhaskar@bhaskars.com> wrote:
Thanks, Casey. I don't plan to run any services because I really want to focus on software development, at least for now. I'm hosting e-mail at zoho.com, and also use their SMTP service. So far, they have done a good job.

All, as a post-script to my earlier request: for inbound ssh or VPN for the developers how reliable is that with a dynamic IP address (and a service like DynDNS)? Or should I go for a static IP address? Thanks.

Regards
-- Bhaskar


On Mon, Jul 3, 2017 at 2:57 PM, Casey Bralla <MailList@nerdworld.org> wrote:
On Monday, July 3, 2017 2:40:05 PM EDT K.S. Bhaskar wrote:
> Both Comcast and Verizon are available on the building, and I haven't
> chosen one.
>
> This e-mail is to solicit opinions about a firewall.
>
> It seems to me there are three choices:
>
>    - Buy a router (discussed on the list recently), or perhaps
>    ​flash ​an existing router from OpenWRT 12.09 to a newer release.
>    - Get a dedicated PC and:
>    ​​
>    - run a specialized distro like IPFire or ClearOS; or
>       - run a general distro like Debian Stable and a firewall like
>       Shorewall.
>
>
> Comments, suggestions, and recommendations welcome. Thanks in advance.


I have a comcast business account.  As far as I can tell, they don't filter
anything (which I like).   You didn't say what internet services (if any) you
intend to provide, but I provide DNS, eMail, and Web servers.  I therefore set
up Shorewall on a stable Debian system with 3 interfaces (Internet, DMZ for
the servers, and Local for internal use).

I chose Debian because I am familiar with it and that removes one complication
from the setup.

I found Shorewall VERY easy to setup and customize.  Their online docs are
excellent, with lots of examples that mimic my setup.  The only problem I
faced was mapping my NICs to eth0, eth1, & eth2 after I had replaced them
with gigabit devices on a running system and all the assigned names changed.


BTW, I did have problems with outgoing SMTP mail.  Many recipient servers
block whole ranges of IP addresses to prevent spam, and my IP was within one
of those ranges.  This meant that some of my outgoing eMails were simply
dropped, and I never knew it.   I therefore relay all my outgoing eMails
through comcast.  They allow up to 1,000 eMails per day outgoing, which has
always been plenty for me.

Good luck!


--

Casey Bralla
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

--
"Between subtle shading and the absence of light lies the nuance of iqlusion..."  - Kryptos

Lee Marzke,  lee@marzke.net     http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
+1 800-393-5217  office        +1 484-348-2230                       fax
+1 252 627-9531  sms  ( 252 MARZKE1 )
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug