On Tue, Jan 17, 2012 at 6:52 PM, John R Pierce pierce@hogranch.com wrote:
a pure firewall at gigE speeds really doesn't need that much ram and only a fair-to-middling processor. more than 2 cores would likely be wasted. Its when you start layering other server functionality on top of the firewall system is when you need more hardware.
I'd expect with a firewall-centric OS distribution like pfSense, a dual core 2-3Ghz I3 could easily keep up with gigE and quite complex rule sets, several network zones. No storage requirements at all, unless you plan on keeping your logging local on the firewall. to maintain gigE throughput you'll want to use server grade NICs and not cheap desktop ones. If you're using a lot of VPN encryption, more and/or faster CPU cores would be useful. a few 100MB of ram is plenty for 100s of 1000s of concurrent connections, so unless you're doing other ram intensive stuff like Snort or NetTop, 1GB ram would be plenty.
pfSense and Vyatta are both excellent platforms to build a firewall on. Vyatta has a command line interface and IPv6 support. pfSense has a web interface with good rrd graphs. Give them both a try and see what works best. There is always the Cisco ASA 5510 if you can deal with the price tag. I've hit a bug once or twice in Vyatta where a config change didn't work until I rebooted. I haven't had that happen with Cisco.
I have been using Vyatta with a Supermicro Atom D525 motherboard, dual port Intel gigabit nic, 2GB of memory, and 4GB Transcend SSD. If you go with the Supermicro front I/O case the bottom holes of a 40mm fan will line up with the vent in the back of the case. I know these are rated to run without a fan, but even a low airflow fan will drop the CPU 20-30F. You can build one of these for around $550 and the power usage comes in at 21 watts.
If you need encryption the Core i5 and higher have the AES instruction set. The list of supporting software is on the wiki below. Openssl is on the list with patches, not sure if an official build with these has been released.
http://en.wikipedia.org/wiki/AES_instruction_set
Ryan