Mailing List Archive

On Wed, 28 Jul 2021 23:31:05 +1000
"Gary R. Schmidt" <grschmidt@acm.org> wrote:

> I second what Ged is saying here, for firewalls and so on the Raspberry
> Pi and its ilk are a much better choice than a full-on system, they use
> /much/ less power, and keeping a spare or three isn't a board- (or
> wife-) level budget request. :-)

My current firewall, which also does inter-LAN routing with iptables filtering, has six (6) gigabit Ethernet ports on it (including one 4-port Intel card in a PCIe-x4 slot). Which model Raspberry Pi should I use?

P.S. I could make do with 5 ports, as my second WAN (a static IP, but slow, DSL) was discontinued in late 2019.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Thu, 29 Jul 2021, Paul Kosinski via clamav-users wrote:

> My current firewall, which also does inter-LAN routing with iptables
> filtering, has six (6) gigabit Ethernet ports on it (including one
> 4-port Intel card in a PCIe-x4 slot). Which model Raspberry Pi
> should I use?

From my experience I would say avoid the 4B if you value stability.

You'd probably want to use USB-Ethernet adaptors. You could have more
or less as many as you like. I'm using Ethernet over USB with several
little Pi Zeros. No actual physical Ethernet hardware, but a network
stack etc. in the applications. The Zero has no Ethernet port at all
but some of the things we're running on them expect you to have one.
You can comfortably watch movies on the Pi Zero. It's amazing such a
tiny thing can do that, at least it is when you're as old as I am and
the first CPU youactually handled was a 1MHz (ONE MegaHertz) Motorola
6800, and you had to wear ear defenders for programming it via ASR33.

Without knowing more about the performance you'd need I couldn't say
whether one Pi or another would do the job, but unless you're a very
heavy user of bandwidth I'd be surprised if you'd stress the quad core
1.4 GHz CPU of a Pi 3B+ in a firewall just filtering packets. To be
honest, the few times that I've run CPU stats on my firewalls, the CPU
usage has been so low that it hasn't really made an impression. I've
just checked our perimeter firewall, CPU is hovering about 99.6% idle.
As I said this isn't a Pi, it's an ALIX board which is a single-core,
32 bit AMD 'Geode' at 500MHz. Never seen one crash.

Straying back somewhere near the topic, I think you'd need the Pi4B
with probably 4G of RAM to run clamd or clamscan. I run clamd on one
but that's all it does. It crashes occasionally, last time was 6.5
days ago. My money's on power supply problems. I don't think it's
temperature related, it was running at about 65C when it crashed last,
it redlines at 85C. It's supposed to throttle itself when it gets up
there but I haven't any done real stress testing like I have with some
other devices. Most of our 4Bs are in at least 50% glazed offices and
despite being in England it can get very warm in there sometimes. In
summer they're often operating in the 70s without any trouble. We fit
the CPUs with heat sinks, but no fan.

You might be able to run a local ClamAV mirror with only a Pi 3B+ with
its roughly 850M available RAM - I'll give that a try someday.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Wed, 28 Jul 2021 12:53:38 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> I'd recommend not using any big distro for your perimiter firewall.
> I use one of the purpose-built stripped-down firewall distributions.

"..our home firewall and gateway -- with iptables, multi-LAN routing (with local DNS), a bit of bridging, encrypted tunnels to elsewhere, etc."
I forgot to mention that it also logs to disk all Internet traffic, which is handy for occasional historical analysis of events via Wireshark. As far as being stripped down goes, the firewall/gatewaay has no X-windows stuff at all installed.

I think stripped-down distros are often too focused. And from what I've seen of some common firewalls, they're too simple-minded (e.g. firewalld), perhaps aimed at people who are terrified of the command line. (I personally found the CLI to be a great improvement over punched cards, just as the GUI is a wonderful improvement for many -- but not all -- tasks.) Also, Debian, being a major distro which is the basis for Ubuntu and others, has long been very reliable in providing security and bug fixes. How many smaller distros are as future-proof?

Finally, do any firewall distros address inter-LAN filtering? We have two major LANs, Black and Red. Black is the trusted LAN, while Red is for Internet TV etc. (on physically separate computers, of course). Red can access the Internet but is not allowed access to Black. Black has limited access to Red (for SSH, VNC and the like). Both are firewalled from the Internet (with Red a bit less so).


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Thu, 29 Jul 2021, Paul Kosinski via clamav-users wrote:

> ... do any firewall distros address inter-LAN filtering?

We're well off-topic here so I think we should stop this now, but I
thought most of them do. What you describe is what I think they
usually call a 'DMZ', very often 'ORANGE', where the LAN is 'GREEN'
and the public Internet 'RED'.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Thu, 29 Jul 2021 23:33:02 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 29 Jul 2021, Paul Kosinski via clamav-users wrote:
>
> > ... do any firewall distros address inter-LAN filtering?
>
> We're well off-topic here so I think we should stop this now, but I
> thought most of them do. What you describe is what I think they
> usually call a 'DMZ', very often 'ORANGE', where the LAN is 'GREEN'
> and the public Internet 'RED'.

As I understand it, a DMZ is usually where servers sit, to be accessed *from* the Internet; thus must allow inbound TCP connections. What I'm talking about is where client computers that are not fully trusted sit: running closed source Linux code (e.g., for DRM-ed movies) which might try probing nearby computers on the same LAN.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml