help me design a dedicated linux firewall

[AlpineCarver]

i'm in need of advice.i have a bit of experience spec'ing and building quiet desktops and servers, running windows and linux. now, i'd like to build a small dedicated firewall, but i'm completely ignorant of available options and best practices for small form-factor machines.

i've done a modest amount of web research, and i'm gravitating toward a micro-itx design, although i'm open to other suggestions. here's what i'm looking for:

(1) 2 ethernet ports
(2) small, and (preferable but not mandatory) wall mountable
(3) sufficient resources to run a variety of free operating systems, firewalls, and content filter software. i haven't made final choices about software, and i want to be able to experiment with os'es and applications.
(4) well-supported by popular free operating systems, without requiring heroic efforts to get them installed
(5) built with high-quality components, so there's a reasonable expectation of longevity
(6) reasonably low-power, inexpensive, and quiet (but these are not the highest priorities)

one possible plan:
motherboard: Intel D945GSEJT
case: M350 with PCI card I/O bracket (from mini-box or logicsupply)
PCI ethernet card: ???
memory: ???
hard drive: ???
power supply: ???

an alternative motherboard would be the MSI IM-945GSE, which has dual ethernet ports built in, but looks like it would add quite a bit to the total system price.

there is also the AOpen DE2700, which also appears to be a bit more expensive, and the fit-pc2i, which doesn't seem to be available at the moment.

if you're up to speed in building systems like this, i'd really appreciate your advice about the overall strategy and any specific recommendations you may have for memory, hard drive, power supply, and PCI ethernet card.

thanks!

[MikeC]

Your choices seem reasonable. The mobo has a built in DC/DC power supply and only needs a 12VDC input from an external power brick, so it's a no brainer. A reliable but cheap low capacity SSD might be ideal for your app. Ask the seller of the mobo/case to help you with the other component choices -- surely they'd know what works well w/this board & case. Logicsupply seems pretty good with customer support.

[washu]

I recently rebuilt my firewall box using a D510MO, PicoPSU and a Morex 2788 case. I seriously considered the D945GSEJT but it's getting hard to find in Canada and I wanted a bit of extra power because I run a web server on the box as well. So far it's been running great other than slightly higher than expected power draw. Still way less than the box it replaced.

For NICs it's not going to matter much unless they are PCIe and you are really pounding on them. Intels are usually the best and will take less CPU, but they cost more. Cheap Realteks are fine as long as they are gigabit versions, even if you are only going to use them at 100. On my D510MO the onboard PCIe Realtek is faster than anything in the PCI slot, even a server grade Intel. The Intel does use less CPU though.

If you are not hard set on Linux, you should seriously consider using FreeBSD or OpenBSD for a dedicated firewall. The PF system built into them is lightyears ahead of the packet filtering in Linux. If you are good with Linux it won't take you long to get used to them and there docs are great. If you would rather something pre-packaged take a look at PFSense.

[Big Pimp Daddy]

They get a bad rep around here, but I would think an EPIA board would be just what you need, there are a few with dual ethernet. They may not be blazing fast, but as far as I understand it, a firewall is not exactly high-power computing. Depending on how low power you're willing to go, you could maybe even get away with an AMD Geode board, there you start to enter 5 Watt territory. Again, many with dual or triple ethernet.
I cannot speak for the ease of installing BSD/Linux on either of these, but as they are mainly used for embedded systems of the type you describe I would imagine the support would be adequate, just google "motherboard name" + "flavour of linux" and you should get an indication of how nicely they play together.

[washu]

I've looked into VIA boards as well and I actually own one with a C7-D 1.5 GHz. The problem is that they are too expensive for what you get. Also, other than boards with a Nano, they are much slower than Atoms. In the informal benchmarking I did the C7 1.5 was about 1/2 to 1/3 the speed of one core of my D510, so 1/4 to 1/6 the speed overall. It also uses 10 watts more at idle with the same PS. I used the C7 for a while as my firewall, but I replaced it with an old P3 because it used the same amount of power and was faster. There are lower power versions of the C7 then the one I have, but they are usually even slower.

The Geode boards are awesomely low power, but depending on how fast a connection you have they may start being to slow to be usable. I borrowed a friends 400 MHz VIA board and it could barely keep up with my 25 Mb/sec internet. CPU was almost maxed when downloading at full speed. As far as I'm aware Geodes are comparable or even slower than the Via chips. Plus there is no option to change the usually crappy NICs on the Geode boards. Given that I could have 50 Mb/sec internet and some places have even more a Geode may not be able to keep up. If your internet was 10 Mb/sec or less and you had no plans to upgrade anytime soon then the Geodes would be a good choice. They can usually run BSD just fine.

[AlpineCarver]

thanks very much for the advice. i ended up ordering:

[from logicsupply]
Intel D945GSEJT motherboard
- 60W power brick
M350 case
- I/O backplate and PCI riser for M350 with D945GSEJT
- mounting brackets for M350

[from newegg]
Kingston 1GB SO-DIMM DDR2 667 - KVR667D2SO/1GR
WD scorpio blue 80 GB 5400 rpm 2.5" sata – WD800BEVT
Intel gigabit PCI NIC - PWLA8391GT

i'm hopeful that these components will all work together.
total cost was $269, including shipping.

[theycallmebruce]

Why bother with a hard disk drive? Boot from USB flash and you could have a system with no moving parts.

Also seems a bit of a shame to buy new hardware for this when you could probably use a secondhand x86 mobo and CPU and underclock + undervolt for fanless operation.

[AlpineCarver]

Why bother with a hard disk drive? Boot from USB flash and you could have a system with no moving parts.

since i want to experiment with software, i was concerned that i might end up with something that writes to the disk periodically and thus wears out something like a USB drive. this may very well be an unfounded fear, but the sata drive was only $30, so it's not a large expense.

Also seems a bit of a shame to buy new hardware for this when you could probably use a secondhand x86 mobo and CPU and underclock + undervolt for fanless operation.

the only stuff i had lying around was neither small nor low-power, and was pretty old, so i'd be concerned about its longevity. i hope to be able to live on this new box for a long time.

[washu]

Also seems a bit of a shame to buy new hardware for this when you could probably use a secondhand x86 mobo and CPU and underclock + undervolt for fanless operation.

I've been building home use routers since a P1 was a good machine. If I am remembering correctly I've used about 15 or so of various configurations over the years plus many others I've build for friends. Using an old PC works great as a router, but it is not so simple if you care about power consumption.

P1 or less: Too slow for modern connections and suck a lot of power because no one cared about efficiency in the AT days.

P2 or old P3: To much power use. Some K6-2s weren't too bad, but you would need a new PS.

"New" P3 (coppermine): Probably your best bet, but you are still going to need a new PS to get good power usage.

P4 / Old athlon : You do care about your power bill right?

Anything newer except an Atom/VIA/Geode: Unless you really don't need it for something better a relatively modern PC is going to be hugely overkill and not guaranteed to be low power. I have a couple of core 2s that undervolt well and idle low, but I can put them to way better use than a router. They also cost more than an Atom anyway.

Old laptops: Not bad if you can get a decent NICs. You need to find something with a non crappy onboard NIC plus find a non crappy cardbus card. I'm sure they exist, but I've never seen a cardbus card that had a good chipset AND didn't use a stupid dongle which would break and disconnect from the card.

I was actually using a P3-M 1.2 laptop as a router for a while. Great power usage (14 W idle), faster than an Atom in some tasks, but the NIC problem did it in. Not only did the crappy cardbus card use an immense amount of CPU time due to the crappy chipset, the dongle would disconnect from the card if you just breathed on it. I bought a new one without a dongle and the chipset was even crappier in that it did not work reliably. A check of the reliable online vendors didn't show any cards with good chipsets. A laptop with an express card slot has the same problem as new PCs, too good and expensive to use as a router.



So the only old PC that really does well for a router when you care about power consumption is a later P3. Even then it's not guaranteed and you will probably need to replace the PS with an efficient model anyway. If you are picking up something second hand unless you know for sure that it is low power it can be a huge gamble. One also has to consider how reliable such an old PC would be. With that in mind a cheap Atom doesn't look too bad.


As to boot from USB? Besides the problem of USB boot conflicting heavily with efficient old PC (how many P3s could boot from USB?), it only works well for a dedicated router. If you want to do anything else with it, it can become limiting rather fast.