Quwery about firewall software

Karl Auer kauer at biplane.com.au
Sun Nov 15 21:01:48 UTC 2015 

On Sun, 2015-11-15 at 11:09 -0700, compdoc wrote:
> > don't use a general purpose computer to run a firewall.
> A general purpose computer running pfSense is far more reliable and secure
> than most consumer firewalls. If a part stops working, you just replace the
> part.

Well, we might have to agree to disagree, but here are my arguments
anyway.

By the way, this could be seen as off-topic, except that Ubuntu systems
are often used as firewalls, and the OP asked about doing so. I would
recommens against using an Ubuntu system as a firewall, other than
(obviously) to run software to protect itself. A firewall is generally
run to protect an entire network, and that's really what we are talking
about in this thread.

> Those low-cost brands of 'firewalls' you find online often die in a year or
> two

Generally they don't. This is FUD.

> and many times have vulnerabilities that expose you to the bad guys.

The bad ones do. MikroTik are not bad ones. You are FAR, FAR, FAR more
likely to make a mistake configuring a firewall (general purpose
computer or otherwise) and leave yourself exposed, than fall victim to a
product vulnerability. Provided of course that you keep the product up
to date.

> Installing DD-WRT helps but when the units dies, you have to toss the whole
> thing and buy another.

Yep. And one of them costs so little that you can do that. In fact, they
are so cheap that you might as well buy two to start with. Bang the old
config on the new device and you are off and running. Replacing any
component of a general purpose computer is likely to cost as much as an
entire MikroTik router, will take time to procure, will take time to
install, and good luck predicting which bit will fail first.

> pfSense has so many features that you probably won't use 97% of them,
> including VPNs, http virus scanning, entire country blocking, http caching,
> and usage reporting, to name a couple. 

The MikroTiks are famous for their rich feature set. I don't know enough
about pfSense to do a feature by feature comparison. If you need a
particular feature that pfSense has and the MikroTik doesn't, then you
should definitely get pfSense.

> For a 1G connection, you will need more horsepower and PCI-e based Intel
> nics, though. 

Of course. And the bigger the PC you use the more it will costs. Same
for a MikroTik.

With the MiktoTik you will not have component upgrade issues, you have
no moving parts (except fans in the largest models), you have no
operating system install or upgrade issues, and in general they cost a
fraction of the money, time and effort than a general purpose PC.

By the way, this is not just MikroTik. There are products that get you
similar benefits and DD-WRT is one of them, though there is still a
significant amount of tinkering involved.

Use pfSense only if:
- you need a feature it has that the MikroTik doesn't
- you enjoy building your own stuff
- you enjoy maintaining your own stuff
- the cost is not important

Regards, K.

PS: For enterprise-scale networks the arguments are different - but even
then, IMHO you should generally buy rather than build.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882

More information about the ubuntu-users mailing list