[CentOS] Do I need a dedicated firewall?

Thu Dec 12 16:22:35 UTC 2013
Warren Young <warren at etr-usa.com>

On 12/11/2013 22:00, Jason T. Slack-Moehrle wrote:
>
> I have a CentOS 6.5 Server (a few TB, 32gb RAM) running some simple web
> stuff and Zimbra. I have 5 static IP's from Comcast. I am considering
> giving this server a public IP and plugging it directly into my cable
> modem. This box can handle everything with room for me to do more.
>
> Doing this would allow me to power down my pfSense box and additional
> servers by consolidating onto this single box.
>
> I have the firewall on on the server and only allowing the few ports I need.
>
> I dont run ssh on 22
>
> What do you guys think?

Have you considered moving all the public web services to a VPS, so you 
can use the simple firewall in your cable modem/router?  You'll get much 
better bandwidth, and all the hardware problems are someone else's.  If 
the machine gets broken into, it isn't a stepping stone into your 
private LAN.

I suspect the Zimbra instance isn't public, which is good, because with 
its minimum RAM requirement of 2 GB, it probably isn't worth hosting 
publicly on your own.

(Insert "when I was a boy" rant about 48 kB being enough here.)

If you really do have to do public facing web services from your private 
LAN for whatever reason, though:

I'd keep the separate firewall, but put it on more efficient hardware. 
You should be able to do this in about 5 W.  At 11 cents per kWh, that's 
about $5 per year if it runs continually.  I suspect it could actually 
be done in more like 2 W.

(For comparison's sake, a Mac Mini idles at about 10 W, and a Raspberry 
Pi *peaks* at 3.5 W.)

If you had to build the firewall yourself for whatever reason, there are 
small BSD/Linux-ready embeddable PCs you could use for this.  They tend 
to be targeted at industrial applications and have low sales volumes, so 
expect to pay $200+ for them.

If you're willing to go bare-bones, a Raspberry Pi, Arduino Galileo, or 
BeagleBone Black plus a USB-to-Ethernet adapter would do the job for 
under $100.

If you can give up a bit of control, you can buy DD-WRT based routers 
off the shelf from the likes of Buffalo and Asus these days.  The 
Buffalo unit I looked at claims to need 13 W peak, but at idle with the 
wireless turned off so it's a wired-only router, I'd be surprised if it 
didn't drop below 5 W.