Gentoo Firewall appliance "kit"?

[eccerr0r]

Is there a "firewall ebuild kit" for Gentoo, perhaps something that could be

emerge firewall-solution

and you get a web based firewall solution? :D

Just dreaming I guess, but basically the problem:

I have these Montavista based routers that I absolutely despise because the licensee of the software didn't make the code available to hack (which may very well be a GPL violation by Qwest/CenturyLink). Well theoretically I don't even need to use their router software, I could run the firewall/router on something else. I first looked at DD-WRT and Tomato solutions, which do work, alas I wanted something more: pfSense. Now that has everything I need. However trying to port the Montavista config to pfSense has not been very successful. Porting iptables behavior to PF ... It's like porting Linux to BSD... well it IS exactly that!

Well then it would be nice to have a Linux router and hopefully the behavior can easily be ported Linux to Linux, and be able to run arbitrary Linux apps on the router. And if it were also Gentoo, it could also share upgrade paths...

So does such exist? Or perhaps there's a cheat sheet somewhere to translate iptables behavior to PF commands...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[khayyam]

[eccerr0r]

That Gentoo firewall overlay looks interesting but I think things can be even easier than that: the target hardware is actually a full x86 firewall appliance that can run Gentoo, glibc, etc., directly (maybe a slight bit lacking on memory, 256MB, but that can be bumped to 512MB) - I just was hoping for an in-portage web GUI oriented firewall configuration like pfSense (mostly for firewall hole punching and no, do not want to use upnpd for that), and at worst case I can transfer the iptables config via command line for esoteric configuration - which is why pfSense has been very annoying to get it to work right on my network configuration.

Then again maybe it's best to just go with sticking with FreeBSD (nanobsd) just to make sure of having software diversity in the network hardware...

(Off topic but interesting: the previous version of pfsense, 2.1.5, and the new one 2.2, ... they fixed one really annoying thing: FreeBSD 8.4 takes _forever_ to boot compared to FreeBSD 10.1...it's not even funny how bad 8.4 was... both running off the same CF card.)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[khayyam]

[F_]

Very interesting idea of "eBuild kits" that I haven't thought of before.

I don't have a solution to your problem, but I would imagine it would be something built on top of Gentoo Hardened.

1. https://wiki.gentoo.org/wiki/Project:Hardened
2. https://wiki.gentoo.org/wiki/Hardened_Gentoo

[desultory]

[overkll]

You might want to look at Mikrotik routers and their RouterOS. RouterOS is Linux based and has the best graphical iptables interface I've ever seen - both via their winbox app and via a web browser

www.mikrotik.com & http://routerboard.com

You can download a free trial of their x86 version and install it on a virtual machine

Better off just buying one of their routers since RouterOS is included.

[1clue]

I'm not so sure about Mikrotik or Tilera. I was fascinated by the cloud core processors but neither company has a response time that ccould make a customer happy. The Mikrotik forum has a lag time of days or more. The specs they give are suspiciously lacking real vpn numbers. The tilera response in email literally took months.

On top of that you can't get prices for tilera hardware without signing a non-disclosure agreement.

[1clue]

Oh yeah.

If the tilera performance claims are anywhere near correct then the Mikrotik products with cloud core processors are hugely underutilized.

[overkll]

I can't vouch for the tilera processor models. That's their top of the line, and the prices reflect that. For personal use, they are overkill. I'd recommend something more like a RB750GL or the powerpc based dual core RB850.

Personally, I have a CRS125-24G-1S-2HnD-IN that I picked up new for $169 USD.

[overkll]

[1clue]

Sorry i worded that poorly. I'm interested in 10gbps hardware mostly. The routerboard hardware is 1gbps stuff. I tried to contact tilera.com for prices. Their web site isn't even up to date with their latest hardware announcements.

Who does that?