Posted on Fri 13 January 2017

revisiting a new firewall

A few years ago I wrote about my new firewall. Let’s look at what I’ve learned since then.

First, you should know that I’m very pleased with the firewall. It continues to function smoothly. Debian upgraded from 7 to 8 without a hitch. I added a few new software features:

  • TINC and OpenVPN servers
  • replaced a full BIND DNS with Unbound (and BIND running behind it on another server)
  • monitoring software
  • an IPv6 tunnel

The CPU is basically idle all of the time. It has four cores; it’s possible that two have never been woken up. We call that future-proofing :)

I’ve got five gigabit ports, but only three of them are in use, and if I needed to, two ports would be sufficient.

There’s 4GB of RAM. Really, it could handle everything it does now on 512MB, and 1 GB would be plenty of room.

The SSD is a big win, though. A complete reboot cycle takes less than 30 seconds, which means that TCP sessions don’t have to drop. I also have a tiny USB thumbdrive (thumbnail drive?) that takes a complete backup once a week or when I change something interesting.

Given all that, would I do it differently today?

I think I’d buy different hardware. The mini-ITX case is a little large — but it was cheap, and the cooling is excellent. I might buy something like this ZOTAC ZBOX C Series CI323 NUC-style computer. It doesn’t have any PCI-E slots, but the other specs are on point:

  • Celeron N3150, 4 cores at 1.6GHz
  • up to 8GB RAM
  • 2x gigabit ethernet ports
  • 802.11ac wireless
  • 1x 2.5” SATA slot
  • 3 x USB 3.0 Ports, 2 x USB 2.0 Ports

all for $150. Add some RAM and a 2.5” SSD, and it should be a very useful router for under $250, sipping power and taking up about the same space as a random “home router” box.


© -dsr-. Send feedback or comments via email — by continuing to use this site you agree to certain terms and conditions.

Built using Pelican. Derived from the svbhack theme by Giulio Fidente on github. .