Can I use a old computer as a network firewall "bridge"?

G

Guest

Guest
I have a couple unused systems laying around and I had a really good (or really freakin bad) idea.
At school they have a fancy firewall on all of their routers that not only keeps you from going to Facebook and Youtube, but also blocks viruses like an AV program. I recently upgraded avast to version 9 or 2014 or whatever and it takes up massive amounts of ram and is making my pc slow.
I work in the IT class at my school and we do lots of work on these pc's, Only a handfull of them had any viruses on them and they don't have any AV software on the systems.

So what if I put an extra ethernet card in one of my old pc's, put it between my two routers, and ran a firewall on it. Could I have that computer running 24/7, have the connections bridged through windows or the said firewall program, and then just uninstall the AV program on my pc?

If this is possible, what programs are there for this? and what are the hardware requirements?
 

DComander1x

Distinguished
Feb 10, 2012
536
0
19,160
80


It is possible, using linux, the hardware requirements are very simple, actually, all it would need is 2 GB of RAM and about 5 GB of Disk, and any processor from the Pentium III and newer will run a simple linux firewall.

http://chris.pirillo.com/how-to-make-your-pc-into-a-firewall/
http://www.techradar.com/news/networking/how-to-build-your-own-router-915419
http://www.youtube.com/watch?v=e_XgY6jqLeQ

 

DComander1x

Distinguished
Feb 10, 2012
536
0
19,160
80


It is possible, using linux, the hardware requirements are very simple, actually, all it would need is 2 GB of RAM and about 5 GB of Disk, and any processor from the Pentium III and newer will run a simple linux firewall.

http://chris.pirillo.com/how-to-make-your-pc-into-a-firewall/
http://www.techradar.com/news/networking/how-to-build-your-own-router-915419
http://www.youtube.com/watch?v=e_XgY6jqLeQ

 
G

Guest

Guest
Whoa, thanks man! I didn't think it was possible to do this without a big beefy processor!

How well would it work on my old optiplex; ?
2Ghz Pentium 4 northwood
256mb Ram (will be upgrading to 2gb as sudgested)
30Gb Maxtor Fireball III
Intel 845G chipset

Of course I'll be upgrading ram later but for is this enough for just a basic install to mess around and learn the interface?
 

DComander1x

Distinguished
Feb 10, 2012
536
0
19,160
80


No problem, many people use the Raspberry Pi as a firewall, so that tells you, that you do not need a dual Xeon Octocore server to run a simple firewall.
It will run very quick, as most firewalls are embedded in routers, so your computer is about 5x faster then what you can get in a simple router. and yes, most firewall distros say 256mb minimum to get everything running, and I said 2GB as to give the AV room to expand as needed, and its good to have an extra gig to allow for future expansion, such as turning it into a NAS.
 
The processor power and memory are directly related to what you are asking the firewall to do. Large companies would not spend $50,000 for a firewall if you could do it with a $50 router.

Simple stuff like nat of packets and very simple ip based filters take little overhead. Most processors can keep up with almost gig related speed as long as there are not too many session and the packet size is average. A packet take just as much processor power to deal with if it is 64 bytes long as one that is 1500 bytes.

The thing that really taxes a firewall are things like VPN. The encryption process requires a lots of cpu. The other thing are advanced protocols or pattern filters. It is very simple to deal with a single stream of data what is hard is when a firewall is trying to keep track of many related streams and take action based on the relationship between the streams. A very simple example is ftp. There is a control stream between the 2 machine. They send messages back and forth and negotiate information about a second stream to actually transfer the data. The firewall must listen in on this conversation and dynamically create rules and nat entries. When you start looking at intrusion detection rules where the firewall looks for patterns between sessions it also greatly increases both the memory and cpu requirements.
 

sg4rb0

Honorable
Dec 4, 2012
214
0
10,760
25


What's the goal here? If you are trying to bypass an internal firewall, you ain't gonna be able to do it because the traffic will ultimately go through it. The rest of the stuff you said means nothing without finding out what your goal is.
 

DComander1x

Distinguished
Feb 10, 2012
536
0
19,160
80


Hes trying to do a pass-through PI firewall as far as I know, to prevent viruses, much like any major corporation would do.
 

sg4rb0

Honorable
Dec 4, 2012
214
0
10,760
25


Firewalls don't prevent viruses. I could give you a link right now which would send you to a FUD'd virus file which would fly through the firewall and onto your PC. As long as the connection starts from inside the network (i.e. the user clicks on the link as opposed to me trying to force a file on your PC), the firewall doesn't block it. That is why it's best practice to have a firewall and an antivirus piece of software.

In the organisation I work for, we have 2 firewalls on our 2 WAN connections, which go to a proxy box, which then has a dedicated antivirus box is goes through, then another data-leak protection box it goes through, AND THEN it goes into our core. In case the virus is inserted into our network internally (i.e. some disgruntled employee tries to put a virus across our network, we also install Symantec Endpoint Protection on each users PC to prevent this issue).
 

DComander1x

Distinguished
Feb 10, 2012
536
0
19,160
80


He did say that - he ment the firewall also had an AV on it.
 

sg4rb0

Honorable
Dec 4, 2012
214
0
10,760
25


Ok in that case yeah you cold do it, just highlight the two ethernet adapters and click bridge connections. If you need more than one PC behind that firewall PC then you will also need a little switch, as shown below.

Router --- Firewall PC ----- Switch ----- All PC's

Gotta remember though, all traffic is gonna be bottlenecked at that firewall PC.
 

sg4rb0

Honorable
Dec 4, 2012
214
0
10,760
25


Ok in that case yeah you cold do it, just highlight the two ethernet adapters and click bridge connections. If you need more than one PC behind that firewall PC then you will also need a little switch, as shown below.

Router --- Firewall PC ----- Switch ----- All PC's

Gotta remember though, all traffic is gonna be bottlenecked at that firewall PC.
 
G

Guest

Guest
I'm running into a bit of a problem now; I set up the "router" as described on techradar, and I can ping it from my pc, and I can ping everything but my other router from it, but when I type in "https://192.168.1.200" nothing happens. I know the ":455" on the example is supposed to be the port but I can't find out what port its on, its nowhere in the menus.

Also I can ping my router and my computer on the box but I can't ping my router that has my modem attached to it or any website. Any help with this?

Also whats all the fuss about firewall protecting me from viruses or not? It runs like an AV program; if the packet encloses a known virus deffinition it denies pass-through right?
 
You would have to post which firewall you loaded and maybe someone will know. I am no expert on unix based machine that most these firewalls are based on. I tend to buy old cisco and juniper firewalls.

The AV function of a firewall is a very special thing most DO NOT have that feature. Just like a AV there is a huge database of signatures that the software must have to detect a virus. Unlike a client based one where it can look at the executable just as its being loaded a firewall based one must first find the executable in the traffic stream and then build its own copy out of the packets and then see if it has virus. This puts a huge burden on a firewall and is why it is not included in most. In most cases you must pay a lot of money for this signature database. There are a couple of free ones but there is debate how good it is. I do know the guys who do our email compared the database we pay over $100,000/yr for to the free ones and decided we should continue to pay the 100k. And this is ONLY for the email attachment scanner. I have no clue what we pay for the one that runs on the firewall I hear its part of the license we pay for the client AV.
 
G

Guest

Guest


If you read the second post you would know that I have setup IPCop V2.03.

I haven't started it up to mess with it today due to someone needing me to fix their hard drive (western digital, go figure).

If it matters, I currently only have it hooked up to router #2 via the onboard ethernet, tagged as green. router #1(with modem) and router #2 are connected and I can access both of them and the internet from my computer, but I cannot access router #1 or the internet from the firewall box.
 

USAFRet

Titan
Moderator
Mar 16, 2013
153,613
10,980
175,990
24,031
I've run exactly this kind of setup for years. Previously IPCop, and currently untangle.

Runs on very low horsepower machines, and does it quietly. My current firewall box is a $50 craigslist buy from a few years ago. 2006 era AMD Sempron.

Everything in the house flows through that box.
 
G

Guest

Guest
Started it up again today and went through about 50 ip changes. It still can't talk to my first router or the internet. My computer can ping it after changing it to 192.168.1.XXX, but when I attempt to load it in the browser, nothing happens.
 

ASK THE COMMUNITY

TRENDING THREADS