View previous topic :: View next topic |
Author |
Message |
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Mon Feb 09, 2015 8:30 am Post subject: Gentoo Firewall appliance "kit"? |
|
|
Is there a "firewall ebuild kit" for Gentoo, perhaps something that could be
emerge firewall-solution
and you get a web based firewall solution? :D
Just dreaming I guess, but basically the problem:
I have these Montavista based routers that I absolutely despise because the licensee of the software didn't make the code available to hack (which may very well be a GPL violation by Qwest/CenturyLink). Well theoretically I don't even need to use their router software, I could run the firewall/router on something else. I first looked at DD-WRT and Tomato solutions, which do work, alas I wanted something more: pfSense. Now that has everything I need. However trying to port the Montavista config to pfSense has not been very successful. Porting iptables behavior to PF ... It's like porting Linux to BSD... well it IS exactly that!
Well then it would be nice to have a Linux router and hopefully the behavior can easily be ported Linux to Linux, and be able to run arbitrary Linux apps on the router. And if it were also Gentoo, it could also share upgrade paths...
So does such exist? Or perhaps there's a cheat sheet somewhere to translate iptables behavior to PF commands... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Mon Feb 09, 2015 1:13 pm Post subject: Re: Gentoo Firewall appliance "kit"? |
|
|
eccerr0r wrote: | Well then it would be nice to have a Linux router and hopefully the behavior can easily be ported Linux to Linux, and be able to run arbitrary Linux apps on the router. And if it were also Gentoo, it could also share upgrade paths... |
eccerr0r ... there is the gentoo-router-overlay which though more targeted toward an AP (openwrt kernel) might be a starting point (considering that most of the components for such a firewall/router are in ::gentoo). That, in combination with a *-uclibc-* or *-musl-* stage3 (under 'experimental') might provide a base for such a router. While probably not what you have in mind I'd suggest you also look at Aboriginal Linux (as a build and/or bootstraping system for the "smallest/simplest linux system capable of rebuilding itself") and Alpine Linux.
eccerr0r wrote: | So does such exist? Or perhaps there's a cheat sheet somewhere to translate iptables behavior to PF commands... |
I seem to remember that net-firewall/fwbuilder offers some such feature ...
best ... khay |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Mon Feb 09, 2015 4:21 pm Post subject: |
|
|
That Gentoo firewall overlay looks interesting but I think things can be even easier than that: the target hardware is actually a full x86 firewall appliance that can run Gentoo, glibc, etc., directly (maybe a slight bit lacking on memory, 256MB, but that can be bumped to 512MB) - I just was hoping for an in-portage web GUI oriented firewall configuration like pfSense (mostly for firewall hole punching and no, do not want to use upnpd for that), and at worst case I can transfer the iptables config via command line for esoteric configuration - which is why pfSense has been very annoying to get it to work right on my network configuration.
Then again maybe it's best to just go with sticking with FreeBSD (nanobsd) just to make sure of having software diversity in the network hardware...
(Off topic but interesting: the previous version of pfsense, 2.1.5, and the new one 2.2, ... they fixed one really annoying thing: FreeBSD 8.4 takes _forever_ to boot compared to FreeBSD 10.1...it's not even funny how bad 8.4 was... both running off the same CF card.) _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Mon Feb 09, 2015 8:31 pm Post subject: |
|
|
eccerr0r wrote: | That Gentoo firewall overlay looks interesting but I think things can be even easier than that: the target hardware is actually a full x86 firewall appliance that can run Gentoo, glibc, etc., directly (maybe a slight bit lacking on memory, 256MB, but that can be bumped to 512MB) - I just was hoping for an in-portage web GUI oriented firewall configuration like pfSense (mostly for firewall hole punching and no, do not want to use upnpd for that), and at worst case I can transfer the iptables config via command line for esoteric configuration - which is why pfSense has been very annoying to get it to work right on my network configuration. |
eccerr0r ... oh, I see, I've never used such a thing but they exist, ankiwall for instance. Nothing else comes to mind ... not sure how developed ankiwall is, or how well supported, but I imagine not the the level of pfSense.
best ... khay |
|
Back to top |
|
|
F_ Tux's lil' helper
Joined: 31 Dec 2006 Posts: 142
|
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Wed Feb 11, 2015 4:59 am Post subject: |
|
|
eccerr0r wrote: | Is there a "firewall ebuild kit" for Gentoo, perhaps something that could be
emerge firewall-solution
and you get a web based firewall solution? | Have you tried app-admin/bastille? If you are investigating it beforehand, try http://sourceforge.net/projects/bastille-linux/?source=directory, instead of the site listed as the homepage in the ebuilds at the moment as it is no longer affiliated with Bastille Linux. |
|
Back to top |
|
|
overkll Veteran
Joined: 21 Sep 2004 Posts: 1249 Location: Austin, Texas
|
Posted: Wed Feb 11, 2015 5:35 am Post subject: |
|
|
You might want to look at Mikrotik routers and their RouterOS. RouterOS is Linux based and has the best graphical iptables interface I've ever seen - both via their winbox app and via a web browser
www.mikrotik.com & http://routerboard.com
You can download a free trial of their x86 version and install it on a virtual machine
Better off just buying one of their routers since RouterOS is included. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Wed Feb 11, 2015 5:43 am Post subject: |
|
|
I'm not so sure about Mikrotik or Tilera. I was fascinated by the cloud core processors but neither company has a response time that ccould make a customer happy. The Mikrotik forum has a lag time of days or more. The specs they give are suspiciously lacking real vpn numbers. The tilera response in email literally took months.
On top of that you can't get prices for tilera hardware without signing a non-disclosure agreement. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Wed Feb 11, 2015 5:47 am Post subject: |
|
|
Oh yeah.
If the tilera performance claims are anywhere near correct then the Mikrotik products with cloud core processors are hugely underutilized. |
|
Back to top |
|
|
overkll Veteran
Joined: 21 Sep 2004 Posts: 1249 Location: Austin, Texas
|
Posted: Wed Feb 11, 2015 6:02 am Post subject: |
|
|
I can't vouch for the tilera processor models. That's their top of the line, and the prices reflect that. For personal use, they are overkill. I'd recommend something more like a RB750GL or the powerpc based dual core RB850.
Personally, I have a CRS125-24G-1S-2HnD-IN that I picked up new for $169 USD. |
|
Back to top |
|
|
overkll Veteran
Joined: 21 Sep 2004 Posts: 1249 Location: Austin, Texas
|
Posted: Wed Feb 11, 2015 6:20 am Post subject: |
|
|
1clue wrote: | ...
On top of that you can't get prices for tilera hardware without signing a non-disclosure agreement. |
Did you actually look at the routerboard link I posted? Look at the bottom of the router section. All the CCR* routers are tilera processor based and the Suggested Retail Prices are posted. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Wed Feb 11, 2015 12:23 pm Post subject: |
|
|
Sorry i worded that poorly. I'm interested in 10gbps hardware mostly. The routerboard hardware is 1gbps stuff. I tried to contact tilera.com for prices. Their web site isn't even up to date with their latest hardware announcements.
Who does that? |
|
Back to top |
|
|
|