Using an old PC as a firewall.

[Nebben]

I currently have two PCs sharing my cable connection. My main PC has direct access to the Internet, and is running Kerio firewall, and the other PC connects through the main one.

I plan on buying an actual router for this purpose at some point, but as a temporary measure could I connect an old PC to the cable connection, and then connect my two 'real' PCs to the old PC (using 3 NICs total in the old PC) and run Kerio on the old PC?

That was the overhead of running the firewall is no longer on my main system. It's not too much overhead, but I'd like to be running as fast as possible.

Would the old system be sufficient for good performance or would it slow things down? The old system is a Pentium Pro 233, has something like 160MB of RAM and is running Win98.

Is this a feasible idea, or is it just plain stupid / not worth the trouble?

I've had bouts with spyware and trojans in recent times and I *REALLY* want to ensure security now that both my systems are newly formatted and set up.

 

[JackMDS]

If all the PCs are running Windows XP (or 2000, or 98) each one needs its own protection.

If the Computer that acts like a server is running real server software (like Windows 2003) and a Server Firewall (like ISA 2003) then you do not need additional Firewall.

:sun:

 

[montag451]

If you are running a secure firewall, I wouldn't worry too much about running firewalls on individual systems. What would be the point?

 

[bluestrobe]

I would think setting up server software and firewalls on all systems would be overkill. Is this box with Win98 the second edition version or just the standard version. If you can find a copy of Win2K Pro, it would make things more easier to setup a firewall box and would run great on your current system. Everyone has different opinions on firewalls but you will need a one that can see seperate NIC cards, I used Zone Alarm Basic for about 2 years and passed several security scans and tests without worring. I ran a 233mhz P2 with 68MB of EDO ram as my firewall box for +4 years before it gave out. Now I use a router which I feel is more secure in some areas compared to a software firewall.

 

[skyking]

Spyware and trojans are dynamic little buggers that YOU ask for when you request content from a site.
A hardware firewall will do bupkus to protect you.
A software firewall will only protect you if it is up-to-date on the nasties, and even then they will get through whenever a new type of nasty is released. It is big business, those nasties.
Many people will suggest using an alternative browser. Statistically, they are correct. Internet Explorer is by far the favorite target of exploits.
Whatever you choose will be totally ineffective if you do not employ safe browser settings, and continue to frequent the seedier segments of the internet. You keep going down filthy back alleys, you are gonna get sh!t on your patent leather boots. I don't care how much armor-all you put on 'em.
A properly functioning NAT firewall protects you only really from random outside intrusions from worms and hacker kiddies. They are invaluable for defending against things tike the blaster worm, but are not a cure-all for internet security.

 

[JackMDS]

Originally posted by: montag451
If you are running a secure firewall, I wouldn't worry too much about running firewalls on individual systems. What would be the point?

Read this and you might guess what is the point.

Link to: Basic Protection for Broadband Internet Installation.

Link to: Internet infestation -Or, how you are getting Internet "Junk" in and compromise your Computer/Network?


Link to: Assemble a Freeware Security Suite to protect you computer from the Internet.

:sun:

 

[Kwatt]

This is what i have been using for awhile now. FREESCO

Easy to set up, needs min. hardware(i'm using a Cyrix 200 with 64mb ram), runs from a floppy and can be installed on a hard drive.

You can try it out without disturbing your current Win98 install. I do not know about using 3 nic's though never needed to. You can post questions at the FREESCO suport forums questions are usually answered quickly. I have a switch connect to 1 nic in the FREESCO box. If you don't have a switch or hub you might as well go ahead and get a router.

And there are alot of packages that can be installed.


Kwatt

 

[freebsdrules]

Look into m0n0wall, it's a great solution for a nat/firewall box and can be run on virutally any old hardware (as well as CF cards).

 

[b4u]

Originally posted by: freebsdrules
Look into m0n0wall, it's a great solution for a nat/firewall box and can be run on virutally any old hardware (as well as CF cards).

To a quick and clean solution, I would also give m0n0wall a try ... all you have to give him is a Pentium with 64Mb (should be more than enough) a bootable CD-ROM and a floppy drive with a formated floppy disk inside ... you can even disconnect your HD from the PC, if you don't want to mess with the data you currently have on it. Oh, and 2 Ethernet NICs, one for WAN and another for LAN.

Then you download m0n0wall the cdrom version of the software (about 8Mb), burn it into an almost free CDR, put it into the CD-ROM, with the floppy on the drive, boot, and about 10 minutes latter you can have a great free router available.

I've tried it, and works really great! Best of all, he runs straight from the CD drive, saves config into a nice xml file on the floppy, and you don't mess with your HD data ... you can even turn HD off just to make sure ...

 

[osage]

I would agree that m0n0wall works very well and has very low hardware demands, another one that is in the same low resource catagory would be BBIagent, I have used it for several years in several versions. Runs on a single floppy,386 or better cpu, and 64mb of ram is plenty.
If you go to the Router Design Project on the right side of the page they have a long list of mostly small footprint routers...try a few and see what you like.

 

[JackMDS]

When running a computer as a firewall you should.

Check the amount of energy that is taken to run the computer.

Multiply it by 24 (hours) x 31 (days) x computer Wattage usage x price of 1 KWh of electricity in you area.

Example. 100W computer running 24/7 for a month takes 100W x 24h x 31days = 74,400 Watt hours, or 74.4 KWh.

My utility charges .19 per KWh. In other word running the firewall cost $15 a month.:shocked:

Does it worth it? Even if your parents are paying for it. It is your inheritress.

:sun:

 

[user1234]

guess this thing doesn't know you can use USB to connect a PC to the cable/dsl modem, then you connect this firewall/proxy server computer to an ethernet switch which all the rest of your PCs connect to. You can use linux distro's which specialize as firewall (e.g. smoothwall.org) on the dedicated firewall machine and do all the administration remotely.

 

[nweaver]

please don't connect via USB....for the sake of the starving pygmies

 

[skyking]

Originally posted by: nweaver
please don't connect via USB....for the sake of the starving pygmies

QFROFL

 

[networkman]

Coyote Linux

We use the Windows Disk Creation Wizard at work to make some free routers out of some spare p166 PCs we had in storage. Firewall is possible as wel.

 

[Nebben]

Originally posted by: JackMDS
When running a computer as a firewall you should.

Check the amount of energy that is taken to run the computer.

Multiply it by 24 (hours) x 31 (days) x computer Wattage usage x price of 1 KWh of electricity in you area.

Example. 100W computer running 24/7 for a month takes 100W x 24h x 31days = 74,400 Watt hours, or 74.4 KWh.

My utility charges .19 per KWh. In other word running the firewall cost $15 a month.:shocked:

Does it worth it? Even if your parents are paying for it. It is your inheritress.

:sun:

But if I'm running a Pentium box with no monitor, hard drive, mouse, or keyboard and all that's drawing power is the NICs and mb/cpu itself, that would be significantly reduced. I think a very large chunk of your normal PC power usage comes from the monitor and drives and video cards, no?

 

[Nebben]

Thanks for all the replies, guys. I'm considering Smoothwall and M0n0wall, not sure which to try first. I'm also trying to think of something to build my firewall PC in, because I don't really want this giant full-tower case that my computer came in (picked up a few of these, Pentium Pro 200's from a local government surplus place, $5 each including the full system / linksys NIC. Not bad!)

I have a dead DVD player but the power supply won't fit inside it

 

[freebsdrules]

I would have to agree with you here. The operating cost is probably much closer to a 'boxed' router than you would initially think (i.e. not that much). What you go with depends on whether or not the added flexibility/features are needed/worth it for you. An older computer running any variant of linux or the BSDs will provide limitless options.

One thing to note--I don't believe smoothwall has support for scsi drives. This was the initial reason I didn't even consider it as the machine I ran then as my router/firewall ran off of a scsi disk. m0n0wall is pretty cool because it is so small (i believe less than 8mb) and can easily be run off of CF cards making the need for space even less.

 

[user1234]

I agree it's not gonna take 100W to operate the firewall machine, especially when it's idle it's gonna be much less, but still it would probably draw more power then a small dedicated router/switch which doesn't have a hardrive and fans. It would be more flexible and powerful than a off the shelf router, but not as simple to set up.

 

[Nebben]

I've been playing around with my box and removed all hard drives and have only the CDROM/Floppy/MB. And Processor and Ram, of course. It probably would be easier to just go out and buy a Linksys router, but I think I may end up sticking with this if it works well. I might mount the motherboard inside a cabinet area in my desk, there's an open area in the back for the ventilation

Mostly because the case it's in is a full tower, and it's ridiculous to be running a PC in a case this big when there's not even anything in it.

 

[osage]

yesterday I took a old Packard-Bell 486 system and converted it to a router. stripped the case, and removed the old mobo standoffs,drilled some holes to take the new standoffs. installed a old sockcet 7 mobo with 96mb and a P200,cd rom,3gb hdd. all that remains of the old Packard-Bell is the psu,case and floppy drive. I wanted to get a newer mobo in there to eliminate the need to use ISA nics, they can be problematic to configure under some OS's.
makes for a pretty small footprint, not as small as small as my Belkin,or Dlink routers but small.

check your local thrift/Goodwill stores, I have bought a number of these old units for less than $10. just for making routers.

 

[OmegaXero]

If you're looking for a good learning experience then running your own firewall would certainly help. I do feel that these are a better solution to a hardware router for several reasons. One, almost all of these firewalls have more options than a standard router (although you can now flash the firmware in some hardware routers to get extra features/capabilities). Two, they let you use existing hardware for a firewall, so you aren't out the extra cash that you would spend on a hardware router. Three, they're kind of fun, you'll see what I mean once you get one setup.

I've tried a lot of linux and bsd based firewalls in the past 3 years. I started out using just floppy based firewalls (Frazierwall, FreeSCO, Coyote, FloppyFW). I loved the floppy based firewalls because they were super easy to setup and extremely stable, I never had one die on me. Since they only need a floppy you can unplug virtually everything else in the computer to conserve power and they will literally run on anything. For complete ease of use and configuration I would have to say Coyote takes the cake, it is hands down the easiest linux firewall I have ever setup. Download the windows disk maker utility and you'll be hard pressed to not have a working firewall in 15 minutes or less, and it all fits on a floppy!

I've also used IPcop, Smoothwall Express 2.0, and m0n0wall. Feature wise I think I like IPcop the best, its based off of smoothwall but it has a few extra features that set it apart. The nice thing about running a firewall like IPcop are the adding logging capabilites (I run it on a HDD) and the extra connectivity/security features that come built in (dynDNS, VPN capabilities, etc. etc.). Generally its easier to add additional capabilities to firewalls like Smoothwall and IPcop due to the extra disk storage and the abundance of available packages already compiled for that particular firewall (smoothwall has a huge following). m0n0wall probably has the biggest list of integrated and preset security features, it does a good job of filtering internal traffic if you want to have that option available. However, I didn't like it as much because it is more difficult to setup on a hard disk, by default you can boot it off a CDROM and store the configuration for the firewall on a floppy.

 

[Nebben]

Well, it seems that my old Pentium Pro box has reached its time. It seems to be dead. I have been rebuilding it from the ground up to no avail, so either the motherboard or processor is probably done for.

I'll be going to the government surplus place tomorrow. I can get another similar Pentium system for probably $5-10, or I could get a Pentium 2 system for $20. Would it be worth the extra money, or is the performance basically the same?

I may be adding up to 16 PCs at LAN events, and while the Internet connection would only be used for getting patches and such, would it be helpful to have a P2-450 instead of a P-200 for things like this? The P2 also has something like 128MB of RAM too.


One more question regarding the different firewall software: Do any of those mentioned (IPCop, Monowall, Smoothwall) support a feature I'm not sure of the name for: the ability to place specific download/upload caps on specific PCs that are connected to the network? I'd like to allow my users on my second PC to browse freely without making my connection jumpy while playing games online. A hard download/upload cap would do that pretty well.

 

[freebsdrules]

For an extra $10, I would say go with the pentium 2 system (128mb ram should be more than enough).

 

[osage]

"One more question regarding the different firewall software: Do any of those mentioned (IPCop, Monowall, Smoothwall) support a feature I'm not sure of the name for: the ability to place specific download/upload caps on specific PCs that are connected to the network?"

yes, I think M0n0wall and Coyote will let you do that.