[TCLUG] Floppy-based Linux firewalls & hardware performance

Wed Jan 30 10:30:07 CST 2002

Since I got cable broadband two weeks ago, I've been playing with a couple
of different Floppy-based Linux firewall / router solutions and thought
I'd share my experiences. So far, I've tried:

floppyfw - http://www.zelow.no/floppyfw/
BBIagent - http://www.bbiagent.net/en

Floppyfw is the more configurable of the two, and also supports the most
features. Naturally, it is also the most difficult to set up. Once set up,
it is very stable, and can be managed from a local console, or from a
serial console connected to ttyS0. There is no management frontend, it's
just iptables (or ipchains), the kenrel and you. Basic routing &
masquerading functions are enabled by default, but any additional
configuration requires moderate knowledge of iptables & Linux networking.

On the other side, BBIagent is a snap to configure and install, thanks
largely to the very cool CGI-based download page. As you prepare to
download, you plug in a number of values to the page, including basic info
about your network configuration and the hardware in the firewall machine.
Clicking 'download' sends you a custom configured floppy image, perfectly
tailored to your setup. When running, BBIagent is administered remotely
via a web-based Java applet that acts as a frontend to all of the
functions of iptables. The machine is literally appliance-ized and the
admin is totally insulated from the Linux OS. The only tip that the
firewall is running a flavor of Linux, is the Tux logo on the BBIagent
Java applet. BBIagent supports a few less features, but these should be
supported in later releases - there is still some room on the distribution
floppy.

So far, I like BBIagent the best; it's just so slick. Disclaimer: I don't
know iptables.

Finally, a note about hardware performace with BBIagent. Originally, I was
running an old 486-25MHz with 12MB of RAM for the firewall box. On a whim,
I switched to a P133 64MB RAM and noticed an interesting improvement.
While the total throughput of the firewall seemed to stay about the same,
the speed in making connections seemed to increase greatly. So with the
P133, data still moves at the same speed, but there is much less apparent
lag when initiating a new connection. I consider that an improvement, but
I'm not sure if it is attributable to the increase in CPU power or RAM. I
am tending to think it is related to the CPU speed, but that could easily
be wrong.

Comments? Experiences?

      -.bill.layer.- .-frogtown.mn.usa.-

.-afghanistan.only.a.ruse- -.bomb.enron.now-.