Linux router software recommendation?

Tom Metro blu at vl.com
Sun Sep 11 23:24:16 EDT 2005


Robert La Ferla wrote:
> I need to set up a (free/open source) NAT firewall and am looking for 
> recommendations. 
...
> I think it would be better to just install a dedicated Linux system for
> a router than a generic Linux distro w/iptables.

Yes, particularly a floppy or CD-ROM-based distribution, so you can 
eliminate the hard drive and have a hardware enforced, read-only file 
system. Then if you ever suspect a breach, you can just reboot.


> The hardware config is a Shuttle XPC (Intel Celeron)...

Unless you need the horsepower, consider using appliance hardware, such 
as a Linksys WRT54G (which will cost you about $40) upon which you can 
run a Linux distribution like OpenWRT (http://openwrt.org/). (See 
http://openwrt.org/TableOfHardware for a list of other hardware that 
will run OpenWRT.)

This kind of hardware has no moving parts, and thus should be more 
reliable, uses less power, generates less heat, and makes no noise.

It should be able to do everything you want (the stock Linksys firmware 
probably meets the requirements you listed as well), though you still 
might find it more convenient and secure to use the Shuttle XPC or 
another server inside your firewall to run auxiliary services, like 
DHCP, DNS cache, etc. (I think it's better from a security perspective 
to avoid putting any software on your firewall machine that isn't 
absolutely necessary for the firewall/routing job.)


> I am quite familiar with iptables, etc... but it looks like there are
> complete packages available like FreeSCO, Smoothwall, and LRP (no longer
> being developed), etc..

I don't think OpenWRT currently bundles a good iptables front-end. 
Sveasoft (http://www.sveasoft.com/), another third party firmware, might.

At some point I plan to try running FireHOL 
(http://firehol.sourceforge.net/), a shell-based front-end to iptables, 
  on OpenWRT, but currently it requires bash, which is a bit bloated for 
the OpenWRT environment, so it needs to be ported to ash.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: https://www.linkedin.com/e/fps/3452158/



More information about the Discuss mailing list