[CentOS] Theoretical Firewall Specs?

Wed Jan 18 01:24:11 UTC 2012
Ryan Wagoner <rswagoner at gmail.com>

On Tue, Jan 17, 2012 at 6:52 PM, John R Pierce <pierce at hogranch.com> wrote:

> a pure firewall at gigE speeds really doesn't need that much ram and
> only a fair-to-middling processor.  more than 2 cores would likely be
> wasted.   Its when you start layering other server functionality on top
> of the firewall system is when you need more hardware.
>
> I'd expect with a firewall-centric OS distribution like pfSense, a dual
> core 2-3Ghz I3 could easily keep up with gigE and quite complex rule
> sets, several network zones.  No storage requirements at all, unless you
> plan on keeping your logging local on the firewall.   to maintain gigE
> throughput you'll want to use server grade NICs and not cheap desktop
> ones.  If you're using a lot of VPN encryption, more and/or faster CPU
> cores would be useful.  a few 100MB of ram is plenty for 100s of 1000s
> of concurrent connections, so unless you're doing other ram intensive
> stuff like Snort or NetTop, 1GB ram would be plenty.
>

pfSense and Vyatta are both excellent platforms to build a firewall on.
Vyatta has a command line interface and IPv6 support. pfSense has a web
interface with good rrd graphs. Give them both a try and see what works
best. There is always the Cisco ASA 5510 if you can deal with the price
tag. I've hit a bug once or twice in Vyatta where a config change didn't
work until I rebooted. I haven't had that happen with Cisco.

I have been using Vyatta with a Supermicro Atom D525 motherboard, dual port
Intel gigabit nic, 2GB of memory, and 4GB Transcend SSD. If you go with the
Supermicro front I/O case the bottom holes of a 40mm fan will line up with
the vent in the back of the case. I know these are rated to run without a
fan, but even a low airflow fan will drop the CPU 20-30F. You can build one
of these for around $550 and the power usage comes in at 21 watts.

If you need encryption the Core i5 and higher have the AES instruction set.
The list of supporting software is on the wiki below. Openssl is on the
list with patches, not sure if an official build with these has been
released.

http://en.wikipedia.org/wiki/AES_instruction_set

Ryan