Need a firewall appliance with certain abilities

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
starting to sound like a broken record in here but Pfsense with pfblockerng-dev.
The only reason I haven't gone this way is that I know nothing about pfsense. I just found out today it's free software. Good start. So I downloaded the latest build.
But I have no clue what to do with it now.
Do I grab an old PC I'm not using and install it on that?

I do have an IBM Lenovo Intel i350-T4 4x 1GbE 1000Base-T Gigabit Adapter......can I use that?

Is there a guide somewhere?
 

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
The only reason I haven't gone this way is that I know nothing about pfsense. I just found out today it's free software. Good start. So I downloaded the latest build.
But I have no clue what to do with it now.
Do I grab an old PC I'm not using and install it on that?

I do have an IBM Lenovo Intel i350-T4 4x 1GbE 1000Base-T Gigabit Adapter......can I use that?

Is there a guide somewhere?
Install it on any hardware you like. Video guides all over YouTube
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
Can pfSense show you the traffic (Ip addresses, port) through your router in real time like a watchguard firebox does?
 

USMCGrunt

2[H]4U
Joined
Mar 19, 2010
Messages
3,113
Nah. Because cloudflare only helps when accessing via the domain name. When they hit the IP directly, it completely bypasses anything cloudflare does. It should be considered useless when it comes to securing a network/server. OP would still need to do everything he originally intended to do from the firewall side. It'd be double the work. And, that's assuming OP is using a domain name and is only wanting to accept traffic over port 80/443...
Did you read what I said or just immediately dismiss it??
  • An assumption is made that he has a registered domain. Though if he's paying for a static IP, chances are good he's also got a domain registered.
  • Configure his firewall to only accept connections for those services from CloudFlare's IPs.
  • CloudFlare Spectrum is an additional service that allows CloudFlare to protect ports other than 80/443
I'm not sure where the double duty is that you speak of. I'm also unsure of what kind of cost Spectrum is and whether or not it would be cheaper vs buying his own equipment.
 

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
Did you read what I said or just immediately dismiss it??
  • An assumption is made that he has a registered domain. Though if he's paying for a static IP, chances are good he's also got a domain registered.
  • Configure his firewall to only accept connections for those services from CloudFlare's IPs.
  • CloudFlare Spectrum is an additional service that allows CloudFlare to protect ports other than 80/443
I'm not sure where the double duty is that you speak of. I'm also unsure of what kind of cost Spectrum is and whether or not it would be cheaper vs buying his own equipment.
This is not a replacement for an on-site firewall, no matter how you try to spin it.
 

EniGmA1987

Limp Gawd
Joined
May 2, 2017
Messages
373
Using old hardware is the cheapest way to go, especially if trying out pfsense. It is a great firewall distro and it should do everything you were asking for and do it fairly easily. It also has lots of help tutorials available online since so many people use it.


If you end up wanting something much smaller to run pfsense with, I have been using one of these for a couple years now without a single issue. Uptime has been perfect on it. I go half a year+ on uptime, and only that because of minor blackouts that happen during construction around here
https://www.amazon.com/Protectli-Fi...ords=pfsense&qid=1552402635&s=gateway&sr=8-12
https://www.amazon.com/Firewall-App...ords=pfsense&qid=1552402635&s=gateway&sr=8-15
https://www.amazon.com/Q190G4-S02-B...words=pfsense&qid=1552402635&s=gateway&sr=8-2
https://www.amazon.com/Firewall-App...words=pfsense&qid=1552402635&s=gateway&sr=8-1

Just make sure whatever hardware you use has AES-NI instruction in it, otherwise future pfsense wont work on the hardware as they are moving to cryptographic acceleration hardware requirement.
 

pek

prairie dog
Joined
Nov 7, 2005
Messages
1,153
Apply an acl using the bogon list. Gets rid of a lot of crap sources, updated regularly.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,420
pfSense or Sophos if you're ok with a free solution.

I suggest Fortigate since this is for a business, though. I'd totally run Fortigate any day. Palo is my preferred, but Fortigate's a bit more palatable to the wallet.
 

capnstabn

Limp Gawd
Joined
Jan 6, 2006
Messages
506
This is not a replacement for an on-site firewall, no matter how you try to spin it.
I've worked a good bit with cloud based solutions recently. Using a cloud service like this may also cause additional latency, and your logs on stored in their cloud environment.
Check Point, Fortinet, Junpier, Palo and pretty much every other real firewall does this. Geo blocking isn't rocket science. I've done this for years at home with both Check Point and Fortigate appliances.
pfSense or Sophos if you're ok with a free solution.

I suggest Fortigate since this is for a business, though. I'd totally run Fortigate any day. Palo is my preferred, but Fortigate's a bit more palatable to the wallet.
If your employer works with a Palo Alto Networks reseller you can get one for home use significantly discounted (or request a lab unit).
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
So I ended up building a pfsense box from an older (circa 2005) AMD 64 X2 4200 machine.

I like it. I've been able to turn off the Firebox(s) now and the room is so much quieter.

Good choice.

Pretty simple and straight forward with just a short learning curve.
 
Tags
firewall
Top