Hardware firewall - Recommendations?

[Tim]

Hey guys,

I'm in the market for a new hardware based firewall. I'm looking specifically for something that has as small a budget as possible and specifically must be able to do L3/L4 filtering based on direction, protocol, and ports.

VPN or otherwise encryption is not required. I'd be interested in both 100M and 1000M versions, or mixes between.

Any ideas?

[ebony]

the 5 servers i keep at work on my rack i just use a old p4 i find lieing about with ipcops on its a cheep (free) its got about 128 days uptime very custom and can do a lot with it
i have used hardware ones but they cost a lot. my servers are fireservers and a webhosting email etc nothing hardcore no big sites

take a look at webhostingtalk.com

[xartin]

build a linux or freebsd system and use that for a firewall. I'm sure tim is comfortable with linux iptables or bsd ipfw/pf/ipfilter given your previous cisco experiences

http://www.gentoo.org/doc/en/home-router-howto.xml

http://www.gentoo.org/doc/en/article...-firewalls.xml

Firewalls

As well the hardware requirements for a linux/bsd firewall are laughable at best. A pentium 2 would run one fairly well and never need a reboot for years... yes i did mean years

If you were to choose a gentoo linux or freebsd install you likely would want a faster processor than a pentium 2 since gentoo/fbsd compiles all program code from source. Using a pentium 2 for this task is still possible however requires levels of patience most individuals would never find desirable.

[Iru]

Most any consumer-focused product will do what you're looking for, Tim. The only complicated part is dealing with the small number of ports on the LAN-side switch. I personally have used both D-link & Netgear devices without issue.

That said, before I decided I wanted the floor-space back, I used to use an UltraSPARC II system running linux as my firewall. The thing ran continuously with next to no attention, so pretty much any half-way capable hardware with the appropriate NICs will do.

[Zzyzxx71]

Sounds like you have some spare hardware sitting around, a flexible platform can be found at Network Monitoring Software - Open Source Content Filter & Spam Filter | Untangle.com, it's free for the base package, there's a monthly subscription fee for the packages with extra functionality.

Just download the ISO, install, configure it and go.

We've installed them at several client sites where budget was a concern.

[Tim]

A big thing I'm really looking for is a switch with layer3+ filter capabilities. I think going Cisco is the only route here.

[Baldecaran]

The Cisco 870 series offers some compelling features for a decent price. Pay attention to the shipped IOS, though. I am running an 871 with the Advanced IP services IOS and it has been working like a champ. I host some Flash content for a few clients and it has yet to hiccup

Cisco 871

[Iru]

Quote:

Originally Posted by Tim

A big thing I'm really looking for is a switch with layer3+ filter capabilities. I think going Cisco is the only route here.

Between all the switch ports? Or just as an SPI firewall?

[Tim]

Yup between on all switch ports.

I have some Cisco 870's laying around, but they do not handle ACLs for layer3/4 on each switch port.