Yesterday (Monday the first of March) my primary home network router died. I suppose I have that to look forward to with my other gateway device, but I’m hoping for some time before that happens. There was nothing really spectacular about the device, and a few things not so hot about it. It was aimed at gammers, with 4 100mbps ports on the lan side, switched, and a 100 mbps wan uplink. No wifi, fairly basic collection of rules you could assemble, but sufficient for my needs for the most part.
On the other hand I have a few things I want to set up and get going that I couldn’t very well do with that router. It wasn’t set up to handle multiple WAN ip addresses, pointing to different devices in the lan, or different ports on similar devices.
So the device I started out with as my new firewall is a PowerSpec V.50. Not that you can get them any more, though all of the hardware is out there, so you could roll your own. It has a single 10/100 Ethernet adapter, 4 usb 2.0 ports, and more. It came with Windows XP, but, yeah, that’s not on there any more. Not that I don’t trust the platform when configured correctly, just that I don’t know the platform well enough to do that configuration, and I’m not really interested in learning it, thank you.
I did a bit of checking around, and ultimately settled on pfSense as the firewall platform I wanted to use. It’s based on FreeBSD and runs very well on hardware with specs that the V.50 outclasses in just about every area. So I’m hoping that it works well from a hardware perspective.
The only concern I have at the moment is entering my firewall rules. I’ve mentioned in another post that I’ve set up a page that automatically blocks traffic from certain hosts if they enter content in certain fields. The last time I checked, I had a list of about 400 or so addresses in the list. At the moment my list is just under 2,000 entries long. In that list there are some 30 networks of 24 bits meaning a 254 host network each, and two 14 bit, or 260,000 + addresses each are being blocked, so 2,000 entries isn’t really a good indication of the full extent of what is being blocked. That has been being done at my web server. Unfortunately that means that the traffic has had to traverse my firewall, gotten onto my lan (albeit with a fixed destination) and continues on till it gets to my web server. Due to the nature of TCP/IP it is very unlikely to do any actual damage to anything in that process, But it is traffic that doesn’t need to be there. A prime rule in network security is to stop potential threats as early as possible. At the very least it means that my web server doesn’t have to figure out what to do with the traffic, and can handle legitimate traffic all that much faster.
The combination of the address blocking list, and the fact that I changed the authentication model of my blog about the same time, means that in the past 3 months not one blog comment has been properly marked as spam by the software available for my blog. Granted I’ve only had a few comments in that time, but it works out to the sam.
And tonight I ran into my first evidence that the platform I have now is going in the right direction. Comments on many blogs that i’ve posted to have sent e-mail notices that there was a comment. Mine hadn’t been however. Now it does.
So, steps back, steps forward, and all hopefully steps in the right direction.
