fastest *nix firewall

R

ring.of.steel

Guest
hi,

i am looking to find a *nix distro (firewall) that does not seem to cut my internet in half, i am on 8mb cable and m0n0wall basicly slices the speed in half.

it also has to have a full web cache built in.

thanks
 
Answer relies more on what horsepower hardware you're running it on. CPU and RAM.

Granted many of the "basic" *nix distros don't require much horsepower to run on, because they don't do much more than NAT...such as m0n0wall, smoothwall, ipcop, pfsense, etc....
These will be faster than the next category...as they don't do as much work.

...and some of the more UTM (unified threat management) *nix distros require more horsepower since they do more work..like scan traffic for viruses, heavy duty IDS (intrusion detection), spam removal, etc...like Untangle or Endian or IPCop w/Copfilter...
I'd stick with these..today you want the extra protection these UTM distros provide you with.

...really depends what your hardware is...a P133 w/32 megs and a few 10Base ISA Nics? A P4 2.8 w/512 megs? What?
 
ive had monowall, smoothwall, endian and nothing has affected my connection speed. All of them ran on a p3 600 with 512mb ram and a 10gb hdd. Currenty running endian.
 
Have you tried ruling out the nix gateway as the source of your low bandwidth? Enable a firewall on your workstation and plug directly to the internet or put a linksys or netgear in place of the nix gateway for testing to determine if it's the nix gateway or just over sold cable service. It's not uncommon on a cable connection to have low bandwidth at some times especially prime time hours.

EDIT: I've used Clarkconnect for about three years now. I really like it and in my opinion its the nicer of the nix firewall distros. I have a 5MB fiber connection running through my Clarkconnect box P3 500 768MB RAM 80GB HDD with dang near every server service running (postfix, apache, spamassasin, clamav, samba, squid and etc). Runs like a charm and it really never even breaks a sweat.
 
hi, thanks for all the response,

my hardware i have is a dual athlon xp 2500+ and 1gb of ram with 4 nics.

the plan was to have:

Nic 1: Motorola SB4100 (WAN)
Nic 2: LAN
Nic 3: DMZ For Servers QoS 50% Of Bandwidth
Nic 4: DMZ Wireless Access Point for Games Consoles with QoS to only recive 15% of bandwidth. (reason for this is basic encryption due to the wii not liking my wep keys, all other ips will be banned except those of my consoles)

I want Nic 2 and 3 and 4 all on separate subnets and ip ranges just for the hell of it.

Also i want web cache on nic 2.

what is the best distro for this?

i dont need anti virus or email scanning or anything, just what i described.

thanks

edit: heres my idea

Drawing1.jpg
 
Give pfSense a try. Its frontend is based on m0n0wall but it uses pf which is one of a fastest software firewalls available (as opposed to ipfilter which is a POS). The default distro doesn't include a http cache but you can just install squid.
 
Give pfSense a try. Its frontend is based on m0n0wall but it uses pf which is one of a fastest software firewalls available (as opposed to ipfilter which is a POS). The default distro doesn't include a http cache but you can just install squid.

is this better for my situation then endian??
 
hi, thanks for all the response,

my hardware i have is a dual athlon xp 2500+ and 1gb of ram with 4 nics.

the plan was to have:

Nic 1: Motorola SB4100 (WAN)
Nic 2: LAN
Nic 3: DMZ For Servers QoS 50% Of Bandwidth
Nic 4: DMZ Wireless Access Point for Games Consoles with QoS to only recive 15% of bandwidth. (reason for this is basic encryption due to the wii not liking my wep keys, all other ips will be banned except those of my consoles)

I want Nic 2 and 3 and 4 all on separate subnets and ip ranges just for the hell of it.

Also i want web cache on nic 2.

what is the best distro for this?

i dont need anti virus or email scanning or anything, just what i described.

thanks

edit: heres my idea

http://i222.photobucket.com/albums/dd66/ringofsteel127/Drawing1.jpg

Endian does exactly everything that you have described above. This one looks like a no brainer. I have Endian running in the exact configuration that you are looking to implement.

Works like a champ!
 
cheers guys, il give endian a go. does it support bandwidth restrictions like i explained? and is it possible to give dmz1 100% of the bandwidth after say 11pm to 6am?
 
its supports QOS, but imo it really really sucks. You can't put in port ranges, and you have to put in each port seperately. So when I did steam i had to put in like 50 ports by hand, and even then it still didn't work all that well. If QOS is a big item to your I would choose from pfSense, IPCOP, or Smoothwall. Most if not all of the things endian can do can be done on these with addons.
 
If your wanting that for torrents, use Utorrent 1.6 and set up the scheduler to full throttle at a time and back off when you dont want it wide open.
 
I'm running pfSense on mine, m0n0 based, but on the P3 866's it runs on it goes full tilt with my 6 Mbit connection. The first place I'd look is at your network cards, are they good (Intel or 3Com) cards or some built-in or $10 type cards?
 
I would try the new Smoothwall (3.0). It is very good, very fast, and is able to do everything you want right out of the box.

I have tried tons of different *nix distros for firewalls/gateways and always revert back to smoothwall (used to be 2.0 with lots of mods, but now just stock 3.0 is running very good).

It never seems to slow down and is very good at keeping the crap out. I even have it running on some clients networks and it works wonders.


As said above, NICs make a big difference. Not the speed of them, but the quality of them. I have had the best luck with intel pro based cards (like the Pro100). They do not need to be the newest (I run old 10/100 Pro 100 cards just fine), but they need to be good quality.
 
so im down to two choices:

smoothwall
endian

i am using utorrent for scheduling allready i suppose.

ok cut out all the QoS shit

so what should i choose?

edit: to be honest they were crappy dlink cards i had laying around, before i was running a p3 500 with m0n0wall
 
FreeBSD using pf with DEVICE_POLLING. Get some real frigging hardware behind it, or don't whine when Torrents destroy your bandwidth. Packet rate matters, and devours CPU like there's no tomorrow.

EDIT: DISCLAIMER: I've done 240Mbps @ 20,000PPS through a pair of Opteron 246's using the onboard Broadcrap. That's no small feat, since the Broadcraps pretty much die about that rate.
 
my hardware i have is a dual athlon xp 2500+ and 1gb of ram with 4 nics

Get some real frigging hardware behind it, or don't whine when Torrents destroy your bandwidth

Surely this will be enough for a router...

most people are running pIIIs not dual opterons.
 
I'm running pfSense on mine, m0n0 based, but on the P3 866's it runs on it goes full tilt with my 6 Mbit connection. The first place I'd look is at your network cards, are they good (Intel or 3Com) cards or some built-in or $10 type cards?

pfSense on mine, I chose it for the easy multi-homing setup. (I do it by application, so not a true load balancing... but it works)

Last semester it handled 2 10mbit connections full tilt. So far this semester it is handling 2 100mbit connections pretty well. (They upgraded the switches in residence halls) I need to drop a gigE card in for the internal network still. One test gave me this (testing one connection, other one wasn't really touched):

Download speed 79040 Kbps (socket test)
Upload speed 62138 Kbps (socket test)

which is probably limited by other traffic on my school's network. This is on dual P3 866s with intel 10/100 nics.

So yeah, it'll push some pretty awesome traffic. I think I was running torrents at the time I ran that test, and I've pushed 9 MiB/s up.


Summary: I recommend pfSense.
 
Surely this will be enough for a router...

Again; depends on your packet rate. 10Mbit, torrent chunked at 64K, that's a metric buttload of packets per second. Socket tests and 'speed tests' are absolutely worthless for comparison with firewalls. Well, unless it shows you that the firewall is so crap it can't even handle basic pass-through with low PPS at wirespeed.

ring.of.steel said:
most people are running pIIIs not dual opterons.

Admittedly quite true. I was running dual Athlons here (MP2800's) with 2GB, but I also don't just route. Frankly, I don't know many people who actually do just routing. Usually I find FTPs, file serving, etcetera on the same box. Mine actually handles what would be considered extreme packet rates (frigging VoIP garbage,) combined with high throughput and the loads of a very busy mail server, a very complex spam filter, and a lot of other tasks. So, yeah, I need a much bigger box than the average joe.
But Opteron 2xx's are a steal right now, so do it anyways. ;)
 
Back
Top