Help with firewall selection and setup

M

mike156

Senior Member
Joined
Oct 4, 2011
Messages
603
Reaction score
5
Location
Jozi
Hi Guys, need some guidance here as this is virgin territory for me.

We have a small office with a 1meg line and we are at the point where the line sometimes becomes unusable due to abuse.

I'm looking to setup something like untangle/smoothwall/pfsense but am unsure as to what would be best.

I have simple requirements:

*Monitor usage per IP address and limit/block access accordingly.
*Ability to impose limits on port ranges.
*I need to be able to do windows file sharing from this box as well (Even though its not recommended from what I have read)-->I see that Smoothwall has a mod to enable Samba, not sure about the others.

Anything else will be an added bonus.
 
Smoothwall.

I don't recommend Samba as mod.

You can then install Full Firewall Control, and selectively open/close ports as seen fit. If you install Smoothwall with the half-open configuration, then torrents won't work. You will still have email/web access though, but will need to add rules for incoming VPN etc - hence Full Firewall Control.

FFC you can block by IP or MAC (incoming or outgoing).

Use SARG (Squid Analysis Report Generator) to compile the Squid logs into a more readable format, and to see which Ip's been browsing for how long on which IP/website

Use URL Filter to block porn sites if needed.

If you really need Samba shares, look at ClearOS - this does not have all the bells and whistles of Smoothwall re firewalling, but will do the job. Not sure about IP monitoring and limit/block...
 
If you have a spare old PC then I would go for Smoothwall else a decent router would be able to do everything on that list.
 
The_Librarian said:
Smoothwall.

I don't recommend Samba as mod. .
Click to expand...

Thanks for the info, but are there any show stopping reasons as to why its a bad idea? I can understand in an enterprise environment it wouldn't be the smartest thing to do but we're just a small office with a few networked PC's and CCTV equipment.

krieg said:
If you have a spare old PC then I would go for Smoothwall else a decent router would be able to do everything on that list.
Click to expand...

We'll go with the spare pc route, i'm not keen on explaining the reason for a new router when the higher ups would sooner fire the moochers.

ponder said:
Add squid proxy to the mix.
Click to expand...

Will look into it, thanks.
 
By default Squid is installed with Smoothwall.

Having your firewall act as a file server is not a good idea, due to the fact that, IF some ne'er-do-well manage to hack it, your files will be ripe for picking...

Never had a Smoothwall hacked before, but you never know.

The Samba HOWTO was written for Smoothwall Express 2.0 - by now we're up to Express 3.1 RC2 - and it is highly doubtful that the same procedure(s) for 2.0 will also work with 3.0 (or 3.1)....

If you really need to have file sharing, look at ClearOS as it's got everything in one package, no need to mess around at the command line for things etc.

A suggestion from my side is : procure a PC with 4Gb's RAM and mirrored HDD's - then set up a host OS of your choice (windows/Linux/proxmox/VMWare) - then run ClearOS (fileserver) and Smoothwall (firewall) virtualized. Of course you'll need to make the clearos VM HDD big enough should you go this route.

This way, should one HDD fail, you will still be able to use the machine until such time the faulty HDD can be replaced - but it does NOT replace a good backup (tape/offsite/cloud).
 
Not worried about access to our files, as there's nothing particularly important on there.

I just need to lock the buggers down from torrenting and watching porn while i'm struggling to skype with China etc :D

I guess ClearOS it is, thanks for all the help.
 
The_Librarian said:
A suggestion from my side is : procure a PC with 4Gb's RAM and mirrored HDD's - then set up a host OS of your choice (windows/Linux/proxmox/VMWare) - then run ClearOS (fileserver) and Smoothwall (firewall) virtualized. Of course you'll need to make the clearos VM HDD big enough should you go this route.
Click to expand...

Neither of the two can be installed on a cheap (software) RAID controller and requires dedicated hardware.

So you either end up with the OS on a single volume which can then access a mdadm software RAID and is somewhat pointless considering the loss of redundancy, or you fork out a hell of a lot of money on a RAID controller.

Zentyal can go install it's own software RAID upon installation from what I remember.
 
Not worried about access to our files, as there's nothing particularly important on there.

I just need to lock the buggers down from torrenting and watching porn while i'm struggling to skype with China etc :D

I guess ClearOS it is, thanks for all the help.
 
Hi There,
I think you should first look at what information you can get out of your current router. Generally you will be able to find how much data each address is using.
Then you can look at what QoS the router can put on before you go the route of firewalls and blocking sites.
I would also not run the firewall on any business server even if the files on it do not currently matter. What happens today is not what happens tomorrow and you may find that someone decides later to store important info on the firewall and bang goes the security to that information

Regards

Tim
 
Hi There,
I think you should first look at what information you can get out of your current router. Generally you will be able to find how much data each address is using.
Then you can look at what QoS the router can put on before you go the route of firewalls and blocking sites.
I would also not run the firewall on any business server even if the files on it do not currently matter. What happens today is not what happens tomorrow and you may find that someone decides later to store important info on the firewall and bang goes the security to that information

Regards

Tim
 
If it's an option, I'd recommend procuring an HP Microserver for the file share loaded with Nas4free (booting off an memory stick) and WD Caviar Red hard disks (don't use green power type disks in your NAS) and run your firewall on a separate box.

UTM/SBS Linux Distros. Lots that are quite good, including those mentioned: Zentyal I had probs with port forwarding, ran out of time to fix it so went to ClearOS 5 which mostly worked well with basics but I had problems with the content filter. With ClearOS 6, they've also moved towards more premium features in the paid for version compared to community (they used to boast there was only one version of ClearOS.) Endian is my current favourite for UTM gateway distro but I haven't lived with it day to day yet.

The Ubiquiti Edgerouter Lite might be worth looking at but I'm not sure if it has the functionality to restrict access in the way you need out of the box.

If you go the virtualization route suggested, you can run Ubuntu Server or CentOS as the host with virtualbox. Set up software Raid when you install the Host OS and you can run the host as a headless server to save resources. Be aware though that you should choose your file system on host and guests carefully and consider disabling Host I/O caching on the guest VM's as certain combinations of these are prone to data corruption of the guest OS under unexpected shutdowns and such.
 
So, now that I have ClearOS installed, I need a little help configuring if you guys don't mind.

I have the windows file sharing, flex share modules installed and have followed the instructions on setting up users etc. but I am unable to actually access the server from any windows machine either through the selected name or its IP.

Typing in the server address in the Run prompt just gives a windows cannot access \\ipaddress popup.

It's very possible that i cocked up the initial setup as I wasn't sure what to set the hostname and default domain name as, not sure if this will affect anything.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X