DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th May 2008
gunderwood gunderwood is offline
New User
 
Join Date: May 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default Firewall Hardware Questions

I am new to OpenBSD and am interested in building a firewall. I have read some books and searched the Internet, but still have some questions about my hardware.

I want to filter on several GbE zones at once, but my traffic is very bursty. Very little average traffic (Mb/sec range) and then the occasional multi-GB transfers. I was planning on using several of the Intel Pro GbE dual or quad interface cards. My research showed some problems with the quad port cards. From what I could find, this is an out-standing issue; correct? For redundancy and extra bandwidth a total of 6-8 GbE ports with NIC teaming would be needed to filter 3-4 zones. If I can't use quad port adapters, then I will need multiple dual port adapters. My original spare computer would support this, but I am uncertain now after researching SMP support. Here is what I had in mind:

Asus P5W64 WS Professional, Intel C2D E6600, 2GB RAM, etc.

I was thinking this would be ideal with all the PCIe ports. I have a Spare Opteron 165, but MB is junk and it "only" has 512MB of RAM. I could use either one, but I liked the C2D because I already have a good MB, lots of RAM, and 4x PCIe slots. However, with SMP support being what it is, I feel like there maybe better uses for these machines and I should just pick up a UP Opteron, etc.

I should note that the reason for the beefy hardware when the average bandwidth is so little, is because when the multi-GB transfers happen they may be concurrent or should have very little impact on the other traffic (assuming there is spare bandwidth). Also in the near future, there are plans to add VPN support (probably 256bit AES, but uncertain atm). The firewall also will be working with an IDS and WAP.

So, the question is what would the ideal OpenBSD firewall hardware look like to filter 6-8 GbE ports? Should I use the hardware I have or pick something up for cheap?

I appreciate any help and would love to hear from someone who has done this. Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 15th May 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

From what you've stated the setups you have would be fine for both basic firewalling and VPN needs. The real gotcha is the IDS section- you'd likely be using Snort.

Snort's great, but beware it's memory usage, especially on the larger rulesets- if you are going to filter traffic against a Windows network, you'll be using the largest rulesets and will consume large amounts of RAM. 512 MB filtering against a Windows network wouldn't be enough on it's own, not to mention it's other responsibilities. Also, the starting and stopping of Snort on a busy machine could cause the machine to churn, and even crash Snort from restarting altogether (this is based on personal experience.)

But if you are just using Snort for IDS and not for IPS (like snort2pf or snort2c) then IMHO you should mirror your traffic off to another separate box running snort (and then install BASE to view alerts in a more sane web-based manner.) If it's purely for Intrusion Detection and not Prevention, there's no need (and a lot of risk) in putting that application in-band on your production network paths- mirroring it off to a side server gives you the ability to muck with Snort as much as you want with no risk to production traffic.

In fact, even if you were going to use it for IPS purposes, you should take the mirroring+IDS path first until you are really comfortable with Snort, OBSD, and the interactions of both with your network. Then you can move that application inline with your production traffic.

Coming full circle, for high rate bursty transfers, if they are 'trusted' transfers a 'pass quick' in pf will take those packets out of the pf processing and make your firewall much more efficient.

Hope this gives some direction.
__________________
Network Firefighter
Reply With Quote
  #3   (View Single Post)  
Old 15th May 2008
gunderwood gunderwood is offline
New User
 
Join Date: May 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default

Short term, mirroring to snort. Long term, using snort2pf. I was concerned that the machine might not have enough CPU/RAM to handle that kind of load without SMP.
Reply With Quote
  #4   (View Single Post)  
Old 15th May 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

RAM definitely would be an issue with Snort (would recommend 1+ GB RAM for windows rulesets) and I can't speak too well on the SMP situation... Uniprocessor IMHO would be fine, but I defer to those more experienced in this area.
__________________
Network Firefighter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardware recommendation: what hardware to buy for my new FreeBSD desktop? Broodjegehaktmetmayo General Hardware 92 11th February 2009 10:43 PM
Is there a purpose for using pf if you have a hardware router/firewall? guitarscn OpenBSD Security 9 23rd January 2009 12:22 AM
upgrading/new hardware from 4.0 knasbas OpenBSD Installation and Upgrading 1 7th January 2009 02:55 AM
What Sun hardware do you have revzalot General Hardware 7 22nd August 2008 01:44 PM
hardware not working Terminal-Chaos FreeBSD General 2 29th May 2008 05:32 AM


All times are GMT. The time now is 01:10 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick