|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Building a Firewall/Router prepurchase questions
resolved
Last edited by azarian; 20th May 2015 at 05:02 PM. |
|
|||
I had the same dilemma a few months ago. Went with the PC Engines APU as it was cheaper than Soekris and had known good hardware support.
There has been some debate if it can actually push a gig through the NICs, though. I don't have a need for that much throughput so I haven't paid that much attention to it. Worth looking it if the speed is an important factor for you. The only other complaint is that they run hot. Mine is at 60C in a 58F house doing firewalling and running a service that eats 20% CPU pretty much all the time. I am a little worried about summer time. Tim. |
|
||||||||
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Nope. Other than the new Soekris if you're willing to wait. Quote:
Probably not. |
|
||||
I'm running prior generation PC Engines gear: Alix 2d3s. These are 500Mhz AMD Geode (Cyrix) processors with 256MB RAM, with vr(4) 100BaseT NICs. Unlike the new APUs, these don't run hot. PC Engines has been a pleasure to deal with for both initial delivery and a follow on hardware problem (Compact flash memory card DOA) and I'm very happy with their performance (230Mbps / 5Kpps) ... but like ibara, I only require 100Mbit on any Ethernet segment.
|
|
||||
If you don't want to spend more than $100 I would get used Intel Atom fanless MiniITX Supermicro server with dual Intel gigabit from these guys UNIXsurplas/. New can be found on e-bay $250. I would stick into it $20 32GB SSD.
If you want something really fancy I like Axiomtek hardware but they go $500 and above. Essentially you are paying premium price for a nice design. |
|
|||
Quote:
The only reason the PC Engines APU features Realtek NIC's, instead of Intel ones, is to keep the price low and IIRC also the power consumption. In the beginning of 1990 my wife and I set up European headquarters of a large Taiwanese computer manufacturer, so I know the industry. All so-called "American" computer companies outsource their production to Taiwanese, or nowadays also Chinese, companies. You have hundreds of companies, that just manufacture products designed by third parties. Many of them also offer extended services, like converting schematics into a four-layer of six-layer PCB design or turn a product specification into a design. So please ignore the marketing crap that makes you believe that things are made in USA. Without all those Taiwanese engineers, of which many studied in the USA, and started computer companies in Taiwan, we would not have these computer product that seems to be an indispensable part of our daily parts. Their pricing strategy was not based, on "what is the market willing to pay for product A", but by calculating their cost, add a profit margin and just sell. I have heard factory managers complain about their sales people who sold too low. In order to still make a profit he had to use lower-grade components than originally planned. So only if a company slams down the price too much, you get lower quality products. Like the capitalist adagio says "You get what you pay for"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Tons of skiddies running scripts in China - about 95% of the bruce force blocks I see originate from China. It has nothing to do with hardware if that's what you were asking. Put any server on the Internet with port 22, etc. open and you will eventually get people knocking on it. As someone already said, you should allow only key-based SSH access. Of course, do you really need ssh open to the Internet on your home router? Sometimes people like this - run a dyndns client and then you're able to access your home servers over SSH when you're traveling. But if you don't, simply don't allow ssh to run on your WAN interface. If you do run it on your WAN interface, I recommend changing the ssh port. This is extremely common on public-facing systems. While it is security by obscurity (someone with the slightest determination will find your ssh port), the vast majority of Chinese skiddies will see if 22 is open and, if not, move on to the next IP, so you can effectively filter out a ton of attempts. Beyond that, ban IPs with multiple failed login attempts as mentioned. |
|
|||
So while i appreciate the lesson on politics of outsourcing and security, can we go back to the OP and discuss hardware?
PC Engines out. Too many negative reviews. Shuttle out. Realtek nics. Soekris still in running, but looks outdated for pice and not able to wait till Q2/2015 with price unknown. Came across this little box (BLKD2500CCE w/ Intel Atom BGA559, Mini ITX form factor, intel nics) and wondering if it would be a mistake to get it over the soekris? |
|
|||
I think this is a mistake but I'm not the one buying.
The GPU on that machine is a PowerVR which means no support (now or ever) if you at some point want to convert it to a desktop machine. |
|
|||
I was really headed towards the PC Engines, but the more I read, the more I see people having issues. I wish it had intel em cards are broadcom as it looks like a great firewall device.
Quote:
Thanks for the quick response! |
|
|||
It looks more than sufficient.
|
|
|||
Just to clarify, you are speaking about the LKD2500CCE w/ Intel Atom BGA559, Mini ITX form factor, intel nics?
|
|
|||
Also any reason to go soekris over the LKD2500CCE w/ Intel Atom BGA559, Mini ITX besides 2 extra ports?
|
|
|||
Quote:
Yes. If you purchase the Soekris exactly $0.00 of your purchase will go to PowerVR, a company that is actively hostile towards Free Software communities. It is the same reason you should never buy Nvidia. |
|
|||
1) sorry for the confusion, but would the LKD2500CCE be a solid purchase for running pfsense or openbsd as a firewall? The only negative is a political opensource one?
2) does the soekris box (over 4 years old) have any advantages that the LKD2500CCE does not? |
|
|||
This was mentioned in the OpenBSD-misc mailing lists recently and if it holds up looks enticing.
|
|
||||
Quote:
|
|
|||
Quote:
The original poster was interested in Gigabit LAN's (at least 2), Fanless and a 1280x720 video output. I would share the concern about heat as the case looks "tight". Power consumption is on a par with the PC engines Geode CPU's. Each NIC adds about 1.3 watts When I read the mailing, I recalled this thread and linked it as an option. The original poster would be on new ground. The 5 year warranty would minimize some of the risk. If the OP documents the results (including operating temps) they could be of interest to the manufacturer. Perhaps Fitlet would even supply an example for testing. A successful trial would increase their market. Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf firewall, is it a bridge or router? | tomp | OpenBSD Security | 8 | 17th August 2011 06:12 PM |
dmz and firewall questions | unixjingleman | OpenBSD Security | 3 | 3rd January 2011 06:12 PM |
Is there a purpose for using pf if you have a hardware router/firewall? | guitarscn | OpenBSD Security | 9 | 23rd January 2009 12:22 AM |
Wireless Router Compat questions | whispersGhost | Solaris | 11 | 2nd June 2008 09:16 AM |
Firewall Hardware Questions | gunderwood | OpenBSD General | 3 | 15th May 2008 03:50 AM |