[ale] Opinion Call: Firewalls for DSL

Jeff Hubbs jhubbs at telocity.com
Mon Jul 3 00:50:33 EDT 2000


A couple of months ago, I made a strategic decision to pop for the NetMax
Firewall/Router product from CyberNet.
My dangerously optimistic premise was that I had a lot of things to
integrate at the house - new computer, firewall, Telocity DSL (no complaints,
BTW), old computer - and I thought that the NetMax' "thin server" Web-administered
approach would help me get going quicker.
My target machine was going to be a VLBus 486DX/33 in which I could
put as much as 32MB of RAM, and I had already set myself up with some ISA-bus
Ethernet cards to choose from, three of them being NE2000 clones.  
I also scored a 3Com 3C515 - an ISA-bus 10/100 full-duplex card.
The first problem I had was that whereas the NetMax docs said it supported
the 3Com 3C515, there appeared to be no way to get it to work, and when
I called tech support, the person that answered didn't even seem to understand
the question when I tried to find out how.  I finally had to insist
to speak to someone who had firsthand experience with the product. 
When I finally did, I learned that my question about the 3C515 apparently
had no answer and that the cliam of supporting the 3C515 was apparently
a lot of hogwash.  I also learned that when the NetMax docs say that
a Pentium is the minimum required CPU, they mean it - it is unstable on
a 486 (he did not indicate that it was compiled for Pentium that that's
my assumption).  This fellow offered to set me up with the FreeBSD
version in trade for the Linux version that I bought and my address was
taken down.  It never arrived.
I decided that I would try to soldier ahead with what I had.  I
picked up a fairly nice Pentium/75 at MicroSeconds.  It took me a
few tries to get anywhere with it, but I eventually got it to work with
two interfaces, performing NAT.  One key element to my eventual success
was that the only documentation that is usable is a single article on their
Web page; the provided documentation is NOT sufficient to figure out the
installation.
Here is my sack of woes to date:


At the moment, even after a reboot, the Web interface is not reacting. 
It was working fine, but now, zip.


The interface, when it did work, is DOG SLOW.  If you make config
changes, it takes this Pentium/75 with 256KB of cache and 72MB of RAM *several
minutes* to go through the commit/restart services process.


The console sometimes fills up with stuff like "Unable to handle kernel
NULL pointer dereference at..." or "Out of Memory" errors.  Most of
the time, NAT operation seems to continue unabated but the "Out of Memory"
stuff got so bad that the machine would only respond to a three-fingered
salute.


There is nothing documented or nothing I can locate in the Web interface
(again, when it worked) or the Web site that gives me the ability to enable
or block specific services or even ports - just a rather vaguely labeled
set of check boxes.


Things like sendmail are running.  I don't want it running. 
But, to stop it, I have to dig through /etc/rc.d or whatever in the typical
fashion.


So far, my attempts to configure X have been a total failure.  The
video is a supported Cirrus Logic.  All three offered methods of X
configuration at the console error out.


You log onto the console using the username and password you enter at install
time.  It would be nice to su to root so you can run things like fsck
but the root password is unknown to me.


The Web site support options - the user forum and the knowledge base -
have been essentially useless and my one attempt at phone support was horrendous.

Before I went though all this, I had read the Firewall-HOWTO and got a
fair idea of the theory behind ipchains and I understood that I had a lot
to learn and that I would have to be careful to harden the Internet-facing
interface and generally be on my toes about it.  I had good reason
to believe that the NetMax product was going to help prevent me from having
to be quite so down-and-dirty.
So, my question to you fine folks is basically this:  should I
have bothered?  Would I have been as well off if I had just put
on a bare-bones Red Hat 6.2 installation on the 486 and figured out ipchains? 
Right now I have a marginally unstable firewall that is performing NAT
like it should, but when certain Internet functions don't work, it seems
I have to "open the hood" anyway and I really don't have a good way to
know how well protected my firewall is against the baddies.  
I know some of you have done the firewall thing with some success and inasmuch
as I would *like* a shortcut to a well-done firewall, I've just about concluded
that the NetMax product is not it and my $50 would have been better spent
elsewhere.
So what do you think I should do?
- Jeff
 




More information about the Ale mailing list