Low power mini-itx system for firewall

Hi all,

I'm looking for a low-cost system to install Linux and firewall software
on. Someone recommended that I use a cheap $200 system, but most cheap
computers are going to be fairly power hungry. I've been told that the
cost for power and cooling for server room equipment is about US one
dollar per year. At that rate, the cost of power for the firewall could
outweigh the cost of the hardware within a few years.

With this in mind, I've been looking for a reliable, fairly cheap ($400
to $500), very low-power (around 20 watt) system with 2 or 3 gigabit
Ethernet ports, 256 MB to 1 GB of DDR II RAM, 40 to 80 GB hard disk, USB
ports, and a PCI slot for expansion. I've found many 1.5 GHz VIA
C7-based systems that fit the bill, for example:




I've also found some ultra-low-power Celeron-based systems that meet my
criteria, but they never have any prices listed. Does anyone have any
price information for Celeron-based systems similar to the above VIA
C7-based systems?

More generally, for those of you who have set up a firewall on similar
hardware, what have been your experiences? Have any of you accidentally
bumped the power button some of these units have unexposed right on the
front panel? What version of Linux would you recommend, a special
embedded Linux, or a full-featured Linux like CentOS? Are there other
processors besides VIA C7 and Celeron I should be considering? Most
importantly, does the 1.5 GHz VIA C7 have enough horsepower to serve as
a firewall between two gigabit Ethernet LANs?

Thanks,
Steve

Re: Low power mini-itx system for firewall

Steve Chapel:

> I'm looking for a low-cost system to install Linux and firewall
> software on.

Why not just buy a firewall?

http://www.newegg.com/Product/Product.aspx?Item=N82E16833120 312
or
http://www.newegg.com/Product/Product.aspx?Item=N82E16833122 148

If you must build, a hard drive is not necessary. You can run a firewall
from a cd-rom or thumb drive. http://www.devil-linux.org/

http://pccicla.blogspot.com/2007/02/fhird-idea-linux-firewal l.html

--
Mac Cool

Re: Low power mini-itx system for firewall

Mac Cool wrote:
> Steve Chapel:
>
>> I'm looking for a low-cost system to install Linux and firewall
>> software on.
>
> Why not just buy a firewall?
>
> http://www.newegg.com/Product/Product.aspx?Item=N82E16833120 312
> or
> http://www.newegg.com/Product/Product.aspx?Item=N82E16833122 148
>
> If you must build, a hard drive is not necessary. You can run a firewall
> from a cd-rom or thumb drive. http://www.devil-linux.org/
>
> http://pccicla.blogspot.com/2007/02/fhird-idea-linux-firewal l.html
>

I'm running 'Bering Leaf' on an old 400 Meg Celeron from a CF card. Even
the Celeron is overkill - a 100 Meg Pentium 1 is adequate. The firewall
is iptables configured by Shorewall.

http://leaf.sourceforge.net/bering-uclibc/

Jim Ford

Re: Low power mini-itx system for firewall

Mac Cool wrote:
> Steve Chapel:
>
>> I'm looking for a low-cost system to install Linux and firewall
>> software on.
>
> Why not just buy a firewall?

That's a valid question. The consulting company I'm working with
recommended using a generic PC with several Ethernet ports as a
firewall. In a recent Slashdot article
many readers
suggested the same thing. Buying fairly generic hardware and installing
software for specific purposes seems to be a growing trend. Similarly,
we are using off-the-shelf servers with clustering software for our
cluster rather than buying customized hardware, and installing Asterisk
on a server instead of buying a hardware PBX. I suppose the question I
would ask back is:

Why would I *want* to buy just a firewall?


> If you must build, a hard drive is not necessary. You can run a firewall
> from a cd-rom or thumb drive. http://www.devil-linux.org/

I suppose I could, but having a hard disk makes the system more flexible
for just a slight increase in cost. I like the idea of running
full-featured CentOS (the open version of Red Hat Enterprise Linux) on
relatively cheap, low-power hardware, and being able to do anything I
want with the system as long as I have enough memory, CPU, and hard disk
space.

I suppose I'll just have to buy a unit for use as our Internet firewall
(which at 1.5 or 3 Mbps I'm sure it can handle) and evaluate for myself
if it can function as a firewall between two gigabit Ethernet networks
without introducing too much latency or reducing bandwidth too much.

Re: Low power mini-itx system for firewall

Jim Ford wrote:
> Mac Cool wrote:
>> Steve Chapel:
>>
>>> I'm looking for a low-cost system to install Linux and firewall
>>> software on.
>>
>> Why not just buy a firewall?
>
> I'm running 'Bering Leaf' on an old 400 Meg Celeron from a CF card. Even
> the Celeron is overkill - a 100 Meg Pentium 1 is adequate. The firewall
> is iptables configured by Shorewall.

That's what many people seem to do. The point of my original post is
that such a setup is not as cost effective as it may seem at first
glance. The cost of power to keep that old computer up and running 24/7
for years can add up to hundreds of dollars. FYI, you can use a Kill A
Watt EZ to measure power consumption and estimate the cost of power per
year.

Re: Low power mini-itx system for firewall

For low power consumption you might want to have a look at micro ATX
boards that support AMD Geode procs. For a quiet, low power hard drive you
could use an IDE or SATA compact flash adapter. I'd also suggest some low
noise CPU/case fans and power supply. If you didn't need Gb ethernet, I'd
recommend the Soekris net5501 which includes an AMD Geode LX and four
100Mb ethernet ports.

-Gary

Re: Low power mini-itx system for firewall

On Tue, 07 Aug 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Steve Chapel wrote:

>That's a valid question. The consulting company I'm working with
>recommended using a generic PC with several Ethernet ports as a
>firewall. In a recent Slashdot article
> many readers
>suggested the same thing.

In your original post you stated:

]I've been looking for a reliable, fairly cheap ($400 to $500), very
]low-power (around 20 watt) system with 2 or 3 gigabit Ethernet ports,

A generic box that is going to be able to keep 3 gigabits hoses full
is not going to be the ultra cheap box.

>Similarly, we are using off-the-shelf servers with clustering software
>for our cluster rather than buying customized hardware, and installing
>Asterisk on a server instead of buying a hardware PBX. I suppose the
>question I would ask back is:
>
>Why would I *want* to buy just a firewall?

Apples and oranges

>> If you must build, a hard drive is not necessary. You can run a
>> firewall from a cd-rom or thumb drive. http://www.devil-linux.org/
>
>I suppose I could, but having a hard disk makes the system more flexible
>for just a slight increase in cost. I like the idea of running
>full-featured CentOS (the open version of Red Hat Enterprise Linux) on
>relatively cheap, low-power hardware, and being able to do anything I
>want with the system as long as I have enough memory, CPU, and hard disk
>space.

A firewall runs firewall code. It does not have lusers logging in and
clicking on icons with one hand. So, do you want another desktop, OR
do you want a firewall. The two are not the same, and if you think
they are, then your understanding of a firewall is coming up short.
Anything running on the firewall is a possible point of exploits, and
for that reason, firewalls should have the minimum software installed
to allow then to run the firewall. Anything else is increasing the risks.
Thus, we don't use a generic kernel (never mind a distribution) but have
compiled one for this specific hardware.

On your Linux desktop, figure out where a command line is hiding, and
run the command 'top' and see what is sucking those resources. You'll
likely discover that the top ten processes are all related to your GUI.
Why should you be wasting those CPU cycles on a firewall that is already
going to be busy enough trying to shift packets between gigabit NICs.

>I suppose I'll just have to buy a unit for use as our Internet firewall
>(which at 1.5 or 3 Mbps I'm sure it can handle) and evaluate for myself
>if it can function as a firewall between two gigabit Ethernet networks
>without introducing too much latency or reducing bandwidth too much.

A lot depends on what you are expecting your firewall to be doing.
Simple blocks of address or port ranges or protocols are RELATIVELY
inexpensive. Content filtering is going to be horribly expensive. On
top of that, you throw in gigabit speeds with unspecified traffic density
which is going to be influenced by CPU and bus cycles. Trying to route
between more than two interfaces is also going to complicate matters,
and if latency/bandwidth is important, restricting the firewall to just
two interfaces may make a significant improvement.

Yes, people do run firewalls on low power PCs. My home firewall is
what is left of a 386SX-16 laptop (remember them?) that lacks a
case, keyboard, or display. It's drawing around 15 VA, and obviously
doesn't have the capability of running X. The networking connections
are 10 MBit Ethernet, because that's twice as fast as the Internet
connection (the LAN runs at 100 MBit with a switch translating between
the different speeds). The firewall isn't trying to manage two (or
more) high speed connections in addition to the connections to the
world, so the 386 is actually sufficient. Administration of the
firewall is done over the net (restricted to specific systems on the
LAN only), and the serial port (see the Remote-Serial-Console-HOWTO)
as a backup. What more can you expect a firewall to do?

Old guy

Re: Low power mini-itx system for firewall

Moe Trin wrote:
> A generic box that is going to be able to keep 3 gigabits hoses full
> is not going to be the ultra cheap box.

I am not looking for an ultra cheap box. I'm looking for a fairly cheap
box. Surely there exist $400 to $500 computers that can serve as a
firewall between two gigabit Ethernet networks?

> A firewall runs firewall code. It does not have lusers logging in and
> clicking on icons with one hand. So, do you want another desktop, OR
> do you want a firewall. The two are not the same, and if you think
> they are, then your understanding of a firewall is coming up short.
> Anything running on the firewall is a possible point of exploits, and
> for that reason, firewalls should have the minimum software installed
> to allow then to run the firewall. Anything else is increasing the risks.
> Thus, we don't use a generic kernel (never mind a distribution) but have
> compiled one for this specific hardware.

I will raise the security issues you point out with my consultants. It
sounds like a legitimate concern, and I'm interested in how they'll respond.

> On your Linux desktop, figure out where a command line is hiding, and
> run the command 'top' and see what is sucking those resources. You'll
> likely discover that the top ten processes are all related to your GUI.
> Why should you be wasting those CPU cycles on a firewall that is already
> going to be busy enough trying to shift packets between gigabit NICs.

I don't plan on running a GUI. Why would I want to run a GUI on a
computer that's serving as a firewall? On my cluster's frontend node I'm
running CentOS. It's currently using 0.0% CPU and consuming 220 MB of
RAM. A fairly cheap computer can easily have 512 MB of RAM and 40 MB
hard disk, which seems plenty of resources to run CentOS. My concern
about the 1.5 GHz VIA C7 systems is that the CPU is only about as fast
as a 600 MHz Celeron, but the OS is not going to be consuming CPU on its
own.

> A lot depends on what you are expecting your firewall to be doing.
> Simple blocks of address or port ranges or protocols are RELATIVELY
> inexpensive. Content filtering is going to be horribly expensive. On
> top of that, you throw in gigabit speeds with unspecified traffic density
> which is going to be influenced by CPU and bus cycles. Trying to route
> between more than two interfaces is also going to complicate matters,
> and if latency/bandwidth is important, restricting the firewall to just
> two interfaces may make a significant improvement.

On our Internet connection (1.5 or 3.0 Mbps) we will be running a
stateful firewall and may be doing some content filtering.

We will also need a firewall for our 802.11n wireless access point (300
Mbps). This firewall would be allowing traffic from our own laptops to
get into our internet network, and allowing guest laptops to access only
the Internet. I would think that this filtering would be inexpensive.

We might also want a firewall between our remotely accessible systems,
such as our email and web servers, and our internal network. Both of
these networks will be gigabit Ethernet. This is where I'm not sure the
1.5 GHz VIA C7 will be fast enough.

Re: Low power mini-itx system for firewall

Gary wrote:
> For low power consumption you might want to have a look at micro ATX
> boards that support AMD Geode procs.

During my research I came across this paper

that concludes that the Geode is only a bit faster than the VIA C7 at
the same clock speed. It looks like a low-power Geode will run at 1 GHz
at most, so that will probably be even slower than a 1.5 GHz VIA C7.

I'm not entirely comfortable with building my own system anyway. I'm
looking for a system that is already built and tested. The most I would
be willing to do is add NIC cards to a prebuilt system, or maybe add
some RAM.

Re: Low power mini-itx system for firewall

On Thu, 09 Aug 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Steve Chapel wrote:

>Moe Trin wrote:

>> Why should you be wasting those CPU cycles on a firewall that is already
>> going to be busy enough trying to shift packets between gigabit NICs.

>I don't plan on running a GUI. Why would I want to run a GUI on a
>computer that's serving as a firewall? On my cluster's frontend node I'm
>running CentOS. It's currently using 0.0% CPU and consuming 220 MB of
>RAM. A fairly cheap computer can easily have 512 MB of RAM and 40 MB
>hard disk, which seems plenty of resources to run CentOS.

That 386SX I'm using has 8 Megs of RAM. But the release notes for Fedora
6 and 7 state it _requires_ 128 MB for text-mode, 192 MB for GUI, and
_recommends_ 256 MB for the GUI. That's mainly because of the eye-candy
tools it's using.

Most of the servers where I'm working are cast-off workstations, with the
fancy video card replaced by a gutless SVGA card (text-only doesn't need
horsepower), and the hard drive system replaced (our work-stations are
IDE/EIDE/ATA, and our servers tend to be SCSI). Workstations tend to be
high-end boxes ("my secretary _needs_ a Quad Xeon with 4 Gigs of RAM to
handle my mail"), and such units would normally be severely oversized
for then-current server operations.

I know the "40 MB hard disk" is a typ0 (that's not enough room for the
install program, never mind the simplest install of a general purpose
distribution), and that such drives are rather rare in this age, but
there are _firewall_ distributions that don't even need that much.

>My concern about the 1.5 GHz VIA C7 systems is that the CPU is only
>about as fast as a 600 MHz Celeron, but the OS is not going to be
>consuming CPU on its own.

>> A lot depends on what you are expecting your firewall to be doing.

There's the key. For a simple ("Yes/No") firewall, the bottleneck is
going to be the bus between the NICs and the other crap stealing CPU
cycles. With bus-mastering NICs, even an old Pentium I should be
adequate. If you have the firewall doing content filtering, or running
around in circles drawing pictures for some luser who should be using
their own desktop for those tasks, then the CPU becomes a lot more
important.

>On our Internet connection (1.5 or 3.0 Mbps) we will be running a
>stateful firewall and may be doing some content filtering.

That would _probably_ be OK, as the connection allows time to do things.

>We will also need a firewall for our 802.11n wireless access point (300
>Mbps). This firewall would be allowing traffic from our own laptops to
>get into our internet network, and allowing guest laptops to access only
>the Internet. I would think that this filtering would be inexpensive.

Should be - the WAP is doing the hard work, and all you're going to be
doing is simple routing with a Yes/No type of firewall. As an aside, we
do not allow guest computers on our networks. Period. We have a
completely separate network with systems in the cafeteria and employee
break areas so that our employees can do personal stuff. I'm using one
now to post this. On occasion, visitors have been allowed to use those
computers (which are actually owned by the employee association), but
that's not very common.

>We might also want a firewall between our remotely accessible systems,
>such as our email and web servers, and our internal network. Both of
>these networks will be gigabit Ethernet. This is where I'm not sure the
>1.5 GHz VIA C7 will be fast enough.

A lot depends on the paranoia of the setup. In our case, the only access
to the DMZ _from_ the internal LAN is administrative, and limited to a
few systems. Access _to_ the DMZ is similarly limited. The public mail
server can only be accessed by the internal mail servers. All other
connections are blocked. Systems in the DMZ can not initiate connections
to the internal networks. The web server in the DMZ is for external use,
and thus traffic between it and the administrative box inside is
relatively light. (The web servers used internally have no need for
external access. Internal use of external web servers is through a
proxy.)

Old guy

Re: Low power mini-itx system for firewall

Steve Chapel:

> Why would I *want* to buy just a firewall?

Why wouldn't you?

You seem to have an objection to every solution. No dig on you, but my
suggestion would be to turn the job over to a professional

--
Mac Cool

Re: Low power mini-itx system for firewall

Mac Cool wrote:
> Steve Chapel:
>
>> Why would I *want* to buy just a firewall?
>
> Why wouldn't you?
>
> You seem to have an objection to every solution. No dig on you, but my
> suggestion would be to turn the job over to a professional

Uh, that's what we did. The professional's solution is to use a low-cost
PC stuffed with a bunch of gigabit NICs with Linux installed on it.

My question is: Do you know of a low-cost *and* low-power computer for
this purpose? I'm guessing your answer is "no." My only objection is
that you seem to be answering a question I didn't ask. My reply is
"thanks, but no thanks."

Re: Low power mini-itx system for firewall

Steve Chapel:

> Uh, that's what we did.

At no point will a professional send you to the internet to do his/her job
for them. Hire someone else.

> My question is: Do you know of a low-cost *and* low-power computer for
> this purpose? I'm guessing your answer is "no." My only objection is
> that you seem to be answering a question I didn't ask. My reply is
> "thanks, but no thanks."

I do not know of any PCs that are low cost, low power AND can fit a "bunch
of NICs". Drop the low power requirement and you can build a solution for
a few hundred bucks. Or there are dedicated firewalls that are low power,
relatively low cost and can support your network.

--
Mac Cool

Re: Low power mini-itx system for firewall

On 14 Aug 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Mac Cool wrote:

>Steve Chapel:

>> My question is: Do you know of a low-cost *and* low-power computer
>> for this purpose?

>I do not know of any PCs that are low cost, low power AND can fit a
>"bunch of NICs". Drop the low power requirement and you can build a
>solution for a few hundred bucks.

The average "small" PC motherboard has two or three PCI sockets, and
as you don't need an eye-candy monitor, you can get rid of that and the
video card with 2 Gigs of VRAM, _perhaps_ get rid of the hard disk (you
can run from a floppy, if you're not installing a "popular" distribution)
and so on. And you _realize_ that you don't need a "new" system for this
application.

>Or there are dedicated firewalls that are low power, relatively low
>cost and can support your network.

Or you could also look at hardware designed for this task. There is a
Latvian company that has been advertising in the Linux Journal named
'RouterBoard' (routerboard.com). One example of their product line is
a 175 MHz MIPS32 embedded processor, 32 Megs of SDRAM, three 10/100
NICs on-board, and 3 miniPCI slots - very tiny (4.6 x 4.1 inch), for
under 90 bucks in onezies. They also have models with four gigabit
interfaces but they are far from being the only company in the
business, and I'm not advocating or recommending this (or any other)
specific vendor.

Old guy

Re: Low power mini-itx system for firewall

Moe Trin:

>>I do not know of any PCs that are low cost, low power AND can fit a
>>"bunch of NICs". Drop the low power requirement and you can build a
>>solution for a few hundred bucks.
>
> The average "small" PC motherboard has two or three PCI sockets, and
> as you don't need an eye-candy monitor, you can get rid of that and
> the video card with 2 Gigs of VRAM, _perhaps_ get rid of the hard
> disk (you can run from a floppy, if you're not installing a "popular"
> distribution) and so on. And you _realize_ that you don't need a
> "new" system for this application.

The OP has already dismissed pretty much all the options available because
they either consume too much power, the processors are too slow or won't
hold enough NICs and has also dismissed a dedicated because it's 'only' a
firewall yet claims he doesn't want to do anything else. In short, he's
confused and doesn't know what he wants or what he needs.

--
Mac Cool