Of Firewalls

october 8, 2005

So, as you read in my previous posting, I have switched firewalls. The switch from m0n0wall to my new Juniper Netscreen 5GT was pretty easy -- at least the basic stuff. I had a lot of spam and blocking rules on the m0n0wall box that I have to figure out how to convert (from m0n0wall's XML to those IOS looking commands for Netscreen). But, enough of those random thoughts. Here are some random thoughts I have about the new box compared to the old. Don't get me wrong, if I had not gotten the Netscreen 5GT from Mike, I would still be happily using m0n0wall. Why? Because m0n0wall is free and it works great on a really old computer with two NICs installed. The best thing about it was that it stored all its settings on a single floppy in XML format. It booted off a single CD and ran without any problems. If there was a problem? I'd reboot the machine, it'd boot from the CD, grab settings from floppy and then come up just dandy. Great system. m0n0wall also let me block packets down to the port level -- something like Smoothwall only let me block packets down to the IP address. That is a very important feature for me since I like to block incoming SMTP stuff while still letting the machine access HTTP stuff. Or, if I had the fancy, do it the other way around. That kind of granularity was the biggest selling point of m0n0wall. The Netscreen 5GT gives me that same sort of granularity, but in a different sort of way. I like how the 5GT handles rules better than m0n0wall in the sense that I can build groups of addresbook entries for hosts. Then from there, for each policy (or rule), I can assign one or multiple groups for the policy affect. With m0n0wall, I had to add a rule for each set of hosts, which is not a bad thing, but makes for a very long list of rules. To give you an example...If I wanted to block SMTP traffic from spammers 1.2.3.0/24, 1.2.4.0/19 and 1.2.2.0/16, I'd have to create three of the same rules in m0n0wall, the only difference is that each rule would have a different address punched in. On the 5GT, I'd create a group named "Spammers", add to the addressbook those three groups of hosts, then assign them to the "Spammers" group. I then create one rule (policy) to block SMTP traffic from "Spammers". It makes things a lot easier to manage since I have less rules to look at when I am trying to figure things out. There are certain things that m0n0wall handled that the 5GT does not, those things I had to move over to other machines. The two largest ones were DNS and DHCP. Yes, DHCP, but I'll write about that after I explain DNS. m0n0wall has a built-in DNS forwarding service that ties directly in with the built-in DHCP service. This is a great feature. I can assign IP addresses and DNS names to MAC addresses, when those machines come online, they always get the same IP address and the DNS always has them in the system. Also, I have to assign names to interal machines so that I can access them without looping outside then coming back in with traffic -- slooooow. So, the built-in DNS in m0n0wall really helped there. The 5GT is sadly lacking in this functionality. So, I had to setup DNS services on the ultramookie box to take everything over. Now, the 5GT does have DHCP facilities, but since I needed to assign addresses to internal boxes, I wanted to give them IP addresses and DNS server addresses all at once. So, I had to move DHCP stuff off to the Airport Extreme Base Station. What I like about the 5GT, since I am a very visual guy, is that it has graphs for traffic. But, m0n0wall does too. Here's the difference. In m0n0wall, I have a graph for the traffic at the very moment and it is aggregated traffic for all rules. That is a graph that is not available on the 5GT, but I don't miss that graph because I have ifgraph to tell me that. What is on the 5GT are policy traffic graphs. So, for my HTTP policy, I can view a historical graph of the traffic over the last month. It is very cool and I like to see how the traffic breaks down. So, for each policy (HTTP, MAIL, EA Online gaming, etc), I can see how much traffic each generates over different periods of time (seconds, minutes, etc). What's more, for each policy on the 5GT, I can see the logs. This is in comparison to my m0n0wall box which lumped all logs together. The 5GT allows me to attach schedules to each policy, which I find very interesting and have been fooling around with lately. I may find some interesting ways to schedule things (like maybe having all googlebot traffic allowed only late at night?). The 5GT has a command-line interface, which I really like (and need to learn better). The CLI interface on the 5GT reminds me a lot of the CLI in IOS. m0n0wall has all command-line access disabled, which I can understand since CLI access to a full BSD subsystem would make for a slight security risk. Some features that I really don't use on the boxes: VPN, both have it, I haven't found a need to fool around with it. Captive portal, this is available on the m0n0wall box, but since I am not planning on opening my WiFi connections to anyone, it has gone unused. Here's the biggest benefit of switching to the 5GT: Two less noisy fans and one less full-ATX power supply in the office. The 5GT is encased in all metal, so it disapates heat without any fans. It is probably pulling a lot less power than a full ATX power supply also -- and because it has four switched ports on the back, I have eliminated the need of having a separate switch in the office also (further saving power). I am really happy with the 5GT, it is fast and does all that I need it to do. I am a tiny bit disappointed that such an expensive box does not have a DNS forwarding server built-in, but that's OK, my other box can take care of those duties. Would I have paid good money for the 5GT? Probably not since m0n0wall is free and does everything I really need. But, since I have the 5GT, I might as well put it to good use!