Are there any firewall nerds out there who run bare knuckle Linux on their router? If so I’d be curious how you choose to roll your own. Also, it would be interesting to hear anyone opine on the pros & cons of doing it this way, even if you go with a GUI.
The biggest pro for me is containerizing the various services (DNS, VPN, SSH, etc). That and a smaller attack surface.
If this conversation has traction I can outline my setup in a followup. I’m more curious if others do it this way and how.
I run pfsense … it simply works and provides all you listed (dhcp, dns, vpn, ssh).
I run pfsense on dedicated physical h/w, 50GB ssd and 8GB ram.
Depends on your needs.
I think the majority on users on this forum will tell you pfsense. And my preference is bare metal install.
Yeah, you are probably right about everybody just running pfsense here. I was hoping there were a few crazy guys out there who admin by keyboard instead of mouse. If nothing else just for the challenge of it.
Just depends on the use case. Pfsense actually has a CLI only version called TNSR that has a massive performance boost because the kernel isn’t the bottleneck for throughput. If you are looking for a linux version you can look at vyos. I believe it’s only CLI managed.
Having a linux kernel and making a firewall out of it, not everyone has that skill. If your going to use in lab or at home that would be great because it is a good learning experience. If you are going to use in production/work, not everyone in your team has the skill. Worst case if you are the only IT guy in a small company, the next guy may not be as skilled as you even if he/she is it will take time to learn what configs you have. Another disadvantage is documentation of what you have done, probably you won’t have time to document it.
These are my reasons/opinion why I will go for pfsense.
You might be surprised how straight forward it is. But for a corp environment you have a good point, the expend-ability of your IT staff would be a strike against this approach. Your boss will love you I’m sure . That aside, or just looking at home setups, do the advantages then outweigh the negatives?
You can start with Ubuntu server (or Debian) add 2- or 4-nics, install DHCP server, unbound (DNS), openvpn and configure them. It is straightforward but what about the next person who takes over? I can tell you building this setup is 10% of your time, documentations is 90% of your time. I used to build firewalls; now, I install pfsense and be done. For a youngster, it’s a good exercise. My 2c.
The next person would need to know something about Linux. That’s not insurmountable, but it is something else they need to know.
I don’t follow you on the documentation claim. I’m not sure how this setup adds more documentation? You can actually be more verbose with your notes in a config file than the gui. Beside that point, you aren’t getting away from the need for external documentation either way.
Nobody seems to be concerned about running a bunch of services on their firewall without some additional layers of security? Does anybody run DNS in a container (Jail) outside the pfsense gui? Just for the added security?
I’ve used RHEL as a router/firewall before. Most use cases are for setting up IPSec tunnels between locations. When it comes to IaC it seems to be the prefered option compared to other open source offerings, but that is based mostly on my own experience.
Are their any security risks with running services like DNS, DHCP, IPSec, etc.? Any other benefits to running these services outside the firewall?
It doesn’t seem very practical and it’s like reinventing the wheel with what you are saying. With software such as pfsense everything is vetted for security, reliability and scalability. I think it might be fun to try and build on yourself but I think you are looking for trouble in the long run in a business/corporate environment.
Security is a reasonably big part of the virtualization/containerization push. If you can run your all your services in an isolated environment you get a healthy bump in security, among other things.
I highly doubt pfsense is doing any special vetting to these packages. That sounds like sales talk.
You guys really like the corporate plug. That argument can go against pfsense too. Corporate motivations are just not that interesting.
Well watch this ! Best not to assume about security until you know and it’s getting increasingly complex.
Virtualisation was about reducing hardware costs not really about security, if anything consolidating will increase risk.
This is very true. I remember when everything was on their own physical servers. If one went down it was just that service that was down, now for most SMBs if the host fails you are completely down. Of course at home it’s not the end of the world, but in business we will set up the customers old server as a fallback xcp-ng host.
You’ve already consolidated if you are running all the services on the pfsense “host”.
Yes, hardware efficiency is another big reason (but not relevant), so is portability for those concerned about the host or the hardware it runs on. Which is another nod for containerization.
I don’t think you know what you are talking about. The maintainers of the pkg’s themselves are being vetted and if any CVE’s are discovered then Netgate will apply patches accordingly. With that said, are you going to vet out every software package on every container/VM when you build your homebrew network solution? I bet not. Also, who’s to say your implementation of your solution, as a whole, isn’t vetted properly?
So the general consensus here is that nobody does this and everybody agrees it is a bad idea for one reason or another. Generally those reasons are business motivated that center around cost. I wonder if a guy (or two) could admin Linux boxes more efficiently with all the automation tools available, but that would be a thin argument. Not a lot of arguments on the technical side, but that may be due to a misunderstanding of the benefits and risks - which could be on me, I am always looking to learn.
Generally, I think it is a good idea to isolate and segment services as much as possible. I think that adds flexibility, stability, & security. The last time I admin’ed pfsense I ran as few services on it as possible. Sounds like that mentality is not typical, and may even be frowned upon for complexity reasons. It is just a click or two away from setting up a VPN on the FW host, so why not. That was me for a long time too.