8/7 What kind of a box would I need in order to run FreeBSD with
firewall, NAT, DNS, and apache web server (http and https)? I don't
anticipate a lot of web traffic because we're a small company. Thanks.
\_ Any reasonable box with two ethernet interfaces.
\_ The trick with FreeBSD is since the packages are in general not
quite up-to-snuff yet, you're going to be building world/ports
to do upgrades, so get a box that can build world fast enough
not to frustrate you. If your co. can afford it, just buy a new
machine for $600, else, you can easily get by with a P166. (We
did) --dbushong
\_ If you aren't fixated on FreeBSD, I'd recommend getting an old
SS10 or SS20 and running OpenBSD (cost ~ $300). The install is
fast, the OS is secure and /usr/ports works. Apache, BIND and
\_ Wow! Can this be true!?
\_ I've never had a problem with
ports on OpenBSD.
Squid (web cache, if your outbound link is slow it *really*
helps) are all chrooted by default under OpenBSD.
The reason I recommend Sun hardware as opposed to x86 is that
most '1337 h4x0r5 have only x86 exploits and will be confused
if they ever manage to break into your box.
If you don't want to spring for Sun hardware, any midrange
Pentium (166-200) will work or a low end PII. If you go with
x86 get decent nics such as a Intel EtherExpress Pro.
Regardless of which box you end up getting, make sure that
you have an identically configured system in reserve (ideally
not connected to the network and powered off) which you can
deploy immediately in case of a break in or failure of your
primary box. ----ranga
\_ I have an SS20 as my firewall at home, running OpenBSD. It is
nice, but they are LOUD LOUD LOUD. Also, don't forget that
even if you manage to pick up two of those cool SuperSparc II
CPUs lying around work, OpenBSD on Sun does not do SMP at all.
also, they're not real quick to boot. -John
\_ I'm currently running a SS20 with OpenBSD and its not
that loud. I'm not running SMP because I don't need that
for a firewall. I'm guessing the original poster doesn't
need it either. I'd have to disagree about the booting bit.
My box boots in under 15 secs.
If you are concerned with the sound, I'd suggest getting
a SS10 with 5400 RPM drives. Its much quieter than the
SS20. ----ranga
\_ and hopefull whatever exploit used on the first box wont
work (for whatever reason) on the second.
\_ Having a second box allows you to figure out what the
exploit was and patch/reinstall the first box without
incurring the expense of total connectivity loss.
Its not an ideal solution, but it is a reasonably
practical one in terms of cost and connectivity.
\_ Um "most hax0rs only have x86 exploits" is blatantly false.
\_ How many script kiddies can hack into a MIPS Ultrix box?
\_ From looking at attacks against Sparc, MIPS and x86
systems, my experience has been that most h4x0r5 don't
have or don't know how to get non-x86 binaries for the
exploits. I know that a determined opponent could break
in, but for the above poster interested in providing
max protection for min cost for a small company, a non
x86 architecture does that nicely.
\_ how about a used PowerMac running NetBSD?
\_ OpenBSD runs fine on PowerMacs. No reason to
choose Net over Open for a firewall. |
http://csua.com/feed/