Turning an old laptop into a firewall

[Hungry Man]

I have an old laptop:
1.66ghz dual core
1GBB DDR2 RAM
110GB HDD 5.4kRPM

It sits around collecting dust and I thought I could potentially turn it into some type of hardware firewall running OpenBSD or some such thing.

I have multiple computer sont he network.

Right now it goes:

ISP -> Router -> All Computers

What I'd like is:

ISP -> Router -> My Computer

+

ISP -> Router -> Other computers


Any ideas/ suggestions? I figure that it's old hardware but for somethign like a hardware firewall it's probably overpowered.

[x942]

I have done this a few times now. What works for me:

ISP -> Router -> Wireless router -> computers

Why? Because of two reasons:
1) The good router distros don't support WiFi AP's.

2) Using an off the shelf WiFi card is not that great for an AP. The best one I have used is an Alpha WiFi card with 9Dbi Antenna . I used it on my router.

===============================

Okay. With that out of the way. What you need to look into is what distro you want to use:

Untangle - This is what I use. Great options for security and good app selection.

PfSense - Another Great one. Used it before. Found it a littler more limited than Untangle. Based on OpenBSD.

OpenBSD (As you mentioned) - Essential OpenBSD you just set it up as a router.

DD-WRT - Can run on x86 based systems. Good option, works well and supports WiFi cards for wireless AP's.

Open-WRT - same as dd-wrt.

There are more but these are the ones that worked for me. Again only the last three support wireless AP.

============
Setup #1 (With wireless router - you will need two (2) ethernet ports)
============
Setup the distro you chose as per your preferences. After it's setup and hooked up to the modem via Ethernet hook up your normal "plastic" router. Access the router's config via it's ip address (i.e. 192.168.0.1) and log in (default is normally admin - admin or admin - no pass). Find the settings for ip address and DHCP, Disable the DHCP server (so it doesn't conflict your new routers server) and have this router receive an IP from your new "router" box. Also disable NAT (it's provided by the new router box instead).

Setup the WiFi access point as you wish.
-----------------------------------------
What does this do? Gives you the benefits of having a hardware firewall and NAT as well as giving you an easy way to have WiFi.
Cons: Need two (2) ethernet ports. Ethernet to USB does work.

=================
Setup #2 (One (1) Router)
=================
Chose a distro that supports WiFi APs, or patch one that doesn't (Untangle can be patched) and find a WiFi card that can support master mode and has drivers for linux. The One I mentioned above does support master mode and has drivers. The chipset is a Ralink. Alpha is a good company too.

Other good ones are: Atheros, Intel (hit or miss), and Ralink. Stay away from broadcomm they have just started releasing drives OpenSource so support can be non-existent.
----------
You can use the distros settings to setup a "guest" AP or Isolate clients.

[Hungry Man]

Awesome. Thank you.

I'm going to go for an OpenBSD hardware Firewall right on the edge of my network actually. It shouldn't impact performance and OpenBSD is very secure so I'll be that much more confident.

[x942]

Quote:

Originally Posted by Hungry Man

Awesome. Thank you.

I'm going to go for an OpenBSD hardware Firewall right on the edge of my network actually. It shouldn't impact performance and OpenBSD is very secure so I'll be that much more confident.

I agree. If I had more time i'd setup OpenBSD too. I only untangle since it's click-click-done and has a nice web GUI.

[Hungry Man]

Well I could do DD-WRT or OpenWRT but there's no real point in that. My router already has DD-WRT.

I'm looking for perimeter security and if they can blow through two layers with one exploit it serves me no good. Throwing OpenBSD out at the front line is going to deter exploitation.

[x942]

Quote:

Originally Posted by Hungry Man

Well I could do DD-WRT or OpenWRT but there's no real point in that. My router already has DD-WRT.

I'm looking for perimeter security and if they can blow through two layers with one exploit it serves me no good. Throwing OpenBSD out at the front line is going to deter exploitation.

So true. PfSense if built on OpenBSD but If you have time, which I assume you do :p, than doing it your self is much better. If not just for the knowledge gained from doing it.

[mack_guy911]

read my threads lot of info there

http://www.wilderssecurity.com/showthread.php?t=315343


i have ISP modem in bridge mode -> astaro gateway (dialer i created in astaro) -> router for wireless

my hardware spec is dual core 1.66 + 4gb ram 80 gb hardisk

astaro has one advantage over others is it have free avira antivirus + clam av free

free for full suite home use only

limit up to 50 ip's and 32000 concurrent connections at a time

no clustring or hotspot they also not needed for home i guess

more advantages are in 9 they adding sophos antivirus as well as second antivirus instead of clamav

its base on novel suse enterprise linux

best part its have everything installed in one package not like untangle and so much tweak options its up to user how deep he/she wants to dig in.

many advance like amazon cloud base services virtual servers.........etc

you can block files by ext default it block exe so you can add sites you download .exe's from this way 80-90% virus sites stop by default before even triggering antivirus. site on reputation bases google safe search..... block on applications base p2p .........etc

forums are very friendly and nice )

untangle is also 2nd option if you looking for complete suite.

endian/ipfire also worth checking please check and see which suite you best

for BSD pfsense it awesome firewall.

[mack_guy911]

-http://www.youtube.com/watch?v=XoYXHGqTK1A-

some very old reviews ...etc

http://www.pcmag.com/article2/0,2817,2366773,00.asp

i tested my self astaro few years back againt malware test it block all links i tested becoz of the pcmag editor argued in his test that one should open .exe and dont block it

where i say you download thing form let say about 2-30 sites at most you should add them to exclusion list of file .exe extention where as antivirus still check them

i used to download form download.com, filehippo.com, softpedia, microsoft drivers and antivirus(KIS) site which i use rest all it blocked .exe by default and it work perfect if you want paranoid mode security or keep it simple


http://www.scmagazine.com/astaro-sec...y/review/3615/

http://www.astaro.com/resources/asta...t-savings-bank

[mack_guy911]

-http://www.youtube.com/watch?v=dY3Ma0TQ0A8-

-http://www.youtube.com/watch?v=xG4Y3XjMGng-

[mack_guy911]

more here i put it on firewall section so more users can see and have benefit from it.

http://www.wilderssecurity.com/showthread.php?p=2037349

[jitte]

Quote:

Originally Posted by x942

So true. PfSense if built on OpenBSD but If you have time, which I assume you do :p, than doing it your self is much better. If not just for the knowledge gained from doing it.

pfSense runs the FreeBSD OS and the OpenBSD pf firewall.

I just set it up on an old Dell with a 2.66GHz P4, 1.2GB RAM, and a 13.6GB HD and really like it. I'm running it through my router, with 3 FreeBSD boxes behind it and haven't seen it use over 8% memory or 4% CPU yet. I've got it's monitor sitting in the corner with pftop running, which is kind of like netstat, so I can keep an eye on connections.

It's a breeze to install and configure, sets up the subnet addresses for you, and comes with packages like Snort and pfblock (where you can block whole countries by default) you can choose to enable if you like. Rules are configured through a web GUI that has a lot of other nice features as well.

I highly recommend giving it a try if you've got an old computer sitting around collecting dust. The download is right around 100MB and can run off a Live CD and I believe off a USB stick too.