[adsl] Looking for ADSL VPN Router recommendations

David Hawke David.Hawke at ppfort.net
Sat Dec 16 22:04:17 EST 2006 

Volker Kuhlmann wrote:
> On Sun 17 Dec 2006 07:23:56 NZDT +1300, David Hawke wrote:
>
>   
>> All true - the most time consuming bit is getting iptables set up ... 
>>     
>
> No, setting up iptables is very easy. In SuSEfirewall2 it amounts to
> setting a number of variables to what you want the firewall to do. There
> are other programs similar to SuSEfirewall2, but this is one of the best
> I've seen. Chances of getting it right when starting iptables rules from
> scratch are slim, for less than well-experienced iptables hackers. Even
> then it may be of questionable economics.
>   
That was in fact the point  - iptables can be daunting when starting out 
from scratch but once you have a model, its easy to tweak. Haven't 
looked at SUSEfirewall - obviously worth a look. In most cases though, 
I've found that tweaking a model rule set becomes necessary.
> The most time consuming bit of going the $DISTRO way is setting up
> proxies, a dhcp server, a dns forwarder, linking the dhcp server with
> the dns forwarder (on small LANs I find it by far the easiest to link a
> few fixed desktops to fixed IPs in the dhcp server), traffic graphing
> tools, log file handling, email filtering, you name it. A few clicks
> away in pfsense, and no distracting distro clutter.
>   
Interesting - most of those are the bits I've found the easiest. I 
suspect that one of the reasons for that is that I went down the qmail 
path a long time ago, and was also caught by the BIND exploit - so 
swapped to djbdns. This makes the DNS side of things very easy, and its 
a doddle to manage whatever fixed addressing is required for the local 
network
>> Certainly the advantage of going down the Linux path is the flexibility
>>     
>
> True! Although should you really be running the web proxy, mail
> filtering etc on the firewall?? Or should that be on your file server?
>
>   
Depends on the site, the $$, and the security and  grunt required. The 
firewalling certainly doesn't make anything sweat.

Ultimately it is horses for courses - driven by preference and site 
constraints.
> Volker
>
> PS Please refrain from CC'ing me on list postings, thanks.
>   
Treat that as being bitten by the list reply-to :-(

David H

More information about the adsl mailing list