yeah...

here's the deal:

ever since the 5k site got slashdotted (and the comments mocked the server for running the Evil Empire's OS), a few of the sites on this box have been getting flooded with weird requests. So yeah, the server got some coverage, and people responded to it.

so I wanted to setup a cheapo firewall solution, and just poke holes in port 80 and 21 (so I can transfer files and pages from the machine), in addition to a couple other ports for admin purposes. Everything else would be blocked out, unpingable, and non-identifiable.

I've used a linksys router/firewall at home for almost a year now without fail. I can ftp into it from outside, run test sites on it, and it works great. So I bought one this past weekend, and this morning, after configuring it, plopped it in front of the metafilter box.

It worked ok for about an hour, then went down for a while, and then magically reappeared, then went away for a couple hours.

My guess is that it can't handle the number of requests the server gets each day and it locked up. I contacted Ev and he was nice enough to remove the offending piece of hardware and restore the previous settings.

So that leaves me with three options.

1. keep things as is, institute a stricter ipsec policy, perhaps try a software firewall solution (which have been quite buggy for me in the past).

2. setup a cheapo linux box in line, just to act as a firewall. this is relatively easy, totally stable, but I hate the idea of needing an entire computer to do one simple thing. I'd rather have some tiny magic box that doesn't gobble up as much energy.

3. find a more suitable firewall. So far, this new netgear small office firewall/router is about the only hardware solution in the low (<$500) pricerange. It seems like it could handle more requests than the linksys, based on the specs and descriptions. Real hardware firewalls are very expensive, and unless someone has a spare cisco one hanging around they'd like to give me, this netgear thing is about the only choice in my range.

Thoughts anyone?
posted by mathowie (staff) at 12:55 PM on April 17, 2001

the only experience i've had dealing with firewalls is with blackICE and zonealarm, which i doubt would work well for a server, and the linksys router you mentioned above. the netgear device does look like it would do the job, but it costs much more.

are we talking about hacking/DoS attempts, or just port-scanning and smaller things like that?
posted by pnevares at 4:07 PM on April 17, 2001

I use Black Ice at home but don't know how useful it is for your purposes. If you want to look at it, go to Network Ice.
posted by Zool at 4:19 PM on April 17, 2001

are we talking about hacking/DoS attempts, or just port-scanning and smaller things like that?

well, everything on the internet is port scanned, it'd be nice if none of them were open. There have been a few hack attempts, so something that's can handle blocking pointless DoS attacks is important.

I tried blackICE and zonealarm back when I had a cable modem sitting raw on the internet, but I could never get outside ftp or http requests to get in.

The netgear is looking like the best choice, some online outlets are pricing it around $225, so it's not too pricey.
posted by mathowie (staff) at 4:50 PM on April 17, 2001

I tried blackICE and zonealarm ... but I could never get outside ftp or http requests to get in.

in the version of blackICE i used, you could specify IP addresses that were allowed to get through, but only on an all-or-nothing basis. but i don't know if ip spoofing would defeat that.
posted by pnevares at 5:06 PM on April 17, 2001

I've used a Netgear DSL box before to protect a business network, and was very happy with it. There are some tricks to configuring in their scheme, but then again I'm not a firewall guru. But I can't say how well this would handle the traffic.

Maybe you could chat up the kuro5hin guys ... inoshiro in particular seems to know this sort of thing cold.
posted by dhartung at 5:40 PM on April 17, 2001

Maybe you could chat up the kuro5hin guys ...

I'm sure I'd hear what I hear from every linux using coworker: "get a damn cheapo box, throw freebsd or openbsd on it, and shut the hell up"

:)
posted by mathowie (staff) at 5:57 PM on April 17, 2001

Matt, what kind of router do you (does Ev) have at the end of whatever Internet connection is there? If it's a Cisco, then you should be able to handle a minor port filter at that router, rather than having to buy another piece of equipment. (For example, my setup at home has a Cisco 2501, and I have very basic port filters on it that prevent people from getting to my Linux databases from the outside.)

If you decide to go with a Linux box, what kind of cheapo box do you need? I have a few lying around that I could probably contribute to the cause...

/jason
posted by delfuego at 6:15 PM on April 17, 2001

i have the netgear and i love it. it's extremely secure (if you want it to be) and pretty easy to configure. i don't know how good it'll handle the amount of traffic you're expecting though - it seems to be more of a home network type of thing. i just open up port 80, send it to the apache server's ip and no one even knows i have other computers connected to it.

but, like i said, i think you get a few more hits than i do.
posted by cheesebot at 7:20 PM on April 17, 2001

Here's how to allow access to an FTP and HTTP server (or any other port, really) with BlackIce Defender.
posted by waxpancake at 7:42 PM on April 17, 2001

If the server was a Mac I'd tell you to get a copy of IPNetSentry and put it on there. Basically all it does is watch for attempts to access certain ports that are indicative of scans and/or hack attempts, then block the offending IP address from accessing your box at all for a configurable period of time. Surprisingly effective and non-intrusive. I would have actually registered it if I'd been port-scanned more than once in the two-week trial period.
posted by kindall at 9:30 PM on April 17, 2001

Yeah, I'm with your coworkers yo -- FreeBSD and Open BSD have awesome firewalling. Buy a $300 machine instead of a closed source, possibly not what you want appliance.
posted by benbrown at 9:46 PM on April 17, 2001

I think it may be a firmware problem. I never had probs with my router because I never ran the firmware it came with, version 1.36.

Apparently the thing crashing is normal and happens.

I thought the newest release of 1.37 wasn't worth the download, but I'll try upgrading it and plopping it back in line tomorrow. Wish me luck.
posted by mathowie (staff) at 10:48 PM on April 17, 2001

I'm sure I'd hear what I hear from every linux using coworker: "get a damn cheapo box, throw freebsd or openbsd on it, and shut the hell up"

Hmmm, now Matt, why would a Linux user tell you to use Free/OpenBSD? :-)

I personally like the Linux firewalling/router solution. Current situation notwithstanding (can't link--rules), I have never had any problem with it and have used it in various installations. A cheap Linux box goes a long way under load, but of course the problem is getting everything ship-shape. You don't just plug it in...

The Sonicwall SOHO2 looked interesting and configurable, but I'm not sure how it handles load. Anyone have experience with it?
posted by fooljay at 10:48 PM on April 17, 2001

Current situation above is neutralized. Matt, I fixed the problem, and hence I can now say fully and without reservations: Linux firewalls ROCK. :-)
posted by fooljay at 11:47 PM on April 17, 2001

The problem with the full blown Intel box with Linux or BSD is the power consumption and, to a lesser degree, space.

o Power rates being what they are in California, it's not cheaper to run a firewall like that in the long run; even if it's donated. (Depending on your worldview, potentially irresponsible as well.)

o It's louder and has a bigger footprint.

o Maybe--just maybe?--you forgot to disable a service or patch something.

fooljay - My shop uses the SonicWall SOHO. It is relatively easy to configure, comes with a default rule set which saves you a lot of dull work. To be sure, it still requires a time investment to fit it to your situation. It handles our load well, which includes our website, (small company, largish client base) product downloads, VPN and such. I imagine SOHO2 took some lessons to heart and is that much better.

And as for why a Linux user would recommend BSD, it's because people recognize that the same OS isn't always best for their workstation, their firewall, their design studio. Generally these people are the technically practical and nimble types that use Linux, who are not always (or usually?) conflated with the fanboys that use Linux.
posted by brantstrand at 11:49 PM on April 17, 2001

Matt...

Get a damn cheapo box, throw openbsd on it, run IP Filter and shut the hell up.

;-j

No, I mean seriously. We get attacks on our systems all the time, people/robots/whatever are continually checking our defenses. This problem is getting worse.

You're really going to be far better off getting that machine behind something solid.

Oh, and get rid of FTP too, use SSH and SCP.


posted by lagado at 11:52 PM on April 17, 2001

Hopefully without starting something, I'd like to make a couple of points...

openBSD is generally considered to be the best platform for firewalls. It's simple and it's solid and relatively easy to tie down.

A typical Linux box distro comes with far too much stuff and most of it is switched on.
posted by lagado at 11:58 PM on April 17, 2001

Brant, sounds good. Do you think you're pushing Metafilter hit levels??

Lagado, easy answer: Don't install RedHat. Debian is a better choice for a firewall. Then you have LRP...

As far as Metafilter goes, most of you all who advocate the blackbox are probably right for this situation. Small to no learning curve, lower power consumption, easy to set up and lock down. I like the looks of the SOHO2. If I weren't actually USING my Linux box, I'd probably get one myself... Perhaps I'll get one and then put the Linux box back on my LAN. Hmmmmm.... Anyway, thanks for all of the food for thought.

Good luck Matt! Keep the bad guys out and the good data in!
posted by fooljay at 12:29 AM on April 18, 2001

Errrrrr, yeah. ahem...

And then you have <blaring trumpets> LRP...

Carry on. Nothing to see here...
posted by fooljay at 12:30 AM on April 18, 2001

Setting up openBSD as a firewall is stone-cold simple, too. ipf can take a little bit of reading to figure out, but if you understand tcp/ip even a little bit it all begins to make sense fast.

Actually, if you've ever configured a router/firewall/gateway you'll get ipf almost instantly.

That said, brant's arguments for a dedicated hardware solution make a whole lot of sense. In terms of convenience and time spent, it's probably a whole lot better to drop a couple of hundred on a blackbox.
posted by cCranium at 7:17 AM on April 18, 2001

I've got a Linksys and I can attest to the fact that firmware version 1.37 is at least 100 times more reliable than previous versions.
posted by bradlauster at 3:22 PM on April 18, 2001

Perhaps a compromise is in order. You could put a cool little box like this together. Voila! A low power low heat mini unix firewall box.
posted by roboto at 3:36 PM on April 18, 2001

Yes, but then we'd have to reduce the default font size on the site to fit through the little box...
posted by fooljay at 4:26 PM on April 18, 2001

This whole discussion sounds like the adults in Peanuts: Wah wah wah wah, wah wah wah wah!

Just so I do have something to contribute, email me if you need a cheap router. I have an extra.
posted by norm at 9:04 AM on April 19, 2001

You are not logged in, either login or create an account to post comments