Which firewall?

[gtnicol]

I'm in the process of setting up network, and I was wondering what people use for a firewall.

This is not going to be a commercial hosting operation, so $$ are important, as is complexity. I'm running on COX, and have 2 IP's from them so I can manage my own DNS resolution (I'll be hosting a few sites, and dealing with COX for every change would be a pain).

My current plan is to have both IP's point to a single physical box (2x1GHz PIII, 1GB, 80GB disk, 2 ethernet cards) that will handle both DNS and hosting (the sites will be low volume).

I have 2 fvs318 netgear firewalls that I could put on different subnets (each one would forward to one of the cards on the hosting box), or a soekris box running linux with 3 ports on it that I could use as a firewall, or I can buy another firewall.

One of the subnets will also be used for my home office network.

 

[ProWebUK]

You could use software firewalls also, check the how-to area for a guide to installing KISS my firewall and you can also check the checklist link in my sig for APF (both are free of charge)

For hardware firewalls it shouldnt make to much difference, although I dont have to much experience with them so cant really advise you there.

Chris

 

[gtnicol]

>You could use software firewalls also

On the same box as the hosting box, or a separate box?

The soekris box is essentially a low-end x86 that can run picobsd or linux (smoothwall is basically just linux with a few goodies added).

 

[ProWebUK]

>You could use software firewalls also

On the same box as the hosting box, or a separate box?

Either or even both.

Chris

 

[gtnicol]

How about NAT?

After messing around with the netgear FSV318 boxes, I've come to the conclusion they're a no-go (they don't really want to have 2 on one network). I worked on the soekris box, and got Linux up and running, but I really need URL/keyword filtering in the firewall, and a few other things, and none of the current firewalls (LEAF, et al) that I got running offered dansguardian, or a reasonable UI. I'm going to most likely go with Astaro running on an 800MHz EPIA box (has virus scanning, content filtering etc.)

My question now is whether DA works with NAT, or whether the machine IP's should match the external IP's. The hosting box has a single interface with IP's 192.168.0.20, and 192.168.0.21. I'm planning to map my 63.hh.hh.hh IP's to those two IP's using NAT. Assuming that works, the next question is also whether I still need 2 IP's on the one interface on the hosting machine, or whether I can just NAT all external IP's to a single internal IP.

 

[DirectAdmin Support]

Hello,

I'll save you the time and say that DA won't run on 192.168.0.1 type addresses. The internal and external IP's must match for licensing/security/piracy issues. If we were to issue a license for 192.168.0.1, anyone with a router could run the software on that license. The 2 requirements are 1) the ip in the license file can be bound to by directadmin when it calls home for updates and 2) the external IP matches the value in the license/our system so that we can aknowledge you are who you say you are, and send updates.

John

 

[gtnicol]

That's the last bit of information I need. Thanks.