What hardware firewall do you use?

**spaceman** · 02-06-2006 03:58 AM

Researching around these forums has led me to conclude that very few cPanel+WHM users have co-located servers, and therefore the issue of hardware firewalls rarely comes up because the firewalls all tend to be either software (normally APF) or hardware firewalls (which are managed independently by the data centres).

So I thought I'd start a thread on hardware firewalls.

Right now I've got two Dell 1850s sitting in a very nearby data centre here in sunny Perth, Western Australia. They've got fresh installs of CentOS on both of them, but doing nothing very much until I pull my finger out and either a) decide to scrap the idea of a hardware firewall and go software only (exactly as I've been used to with my ded. servers in the US), or b) buy, install and configure a hardware firewall for an extra layer (complexity?) of hardware protection that me and my hosting client have not previously enjoyed.

I initially tried to use a Netgear FVS318 (http://www.netgear.com/products/details/FVS318.php) but have found the web interface to allow insufficient control for my needs.

I've seen the Linksys RV082 given a good rap here and there: http://www.tomsnetworking.com/Review...odID-RV082.php

... but now I've got the data centre recommending the Cisco PIX 501 (http://www.cisco.com/en/US/products/...ps2030/ps2031/)

My needs are humble: 2 Linux web servers (not huge load) running cPanel+WHM and a Windows (don't ask!) box to be used for remote backup purposes (no web server).

So I'm looking for an entry level hardware firewall that will look after the immediate needs of these 3 servers.

Comments anyone?

**forlinuxsupport** · 02-06-2006 04:18 AM

anyone.. please feel free to post your opinions..

would be interesting to see who uses what and which is best.

**mwatson** · 02-14-2006 08:34 AM

You want the Cisco PIX.... nothing else even comes close to comparison.

We run a pair of Cisco PIX 515e firewalls, 2nd one is a hot-failover unit in the even the first fails. The only thing i would ever consider those linksys/netgear/etc. devices for is for like branch office connections.

**dave9000** · 02-14-2006 07:06 PM

if you have a spare server low end not in use take a look at this

http://www.astaro.com/firewall_netwo...urity/firewall

we are testing this solution now at our NOC

the cisco pix is a ideal solution for firewalls but its a bit pricy for a small operation

**webz05** · 02-25-2006 07:31 PM

Juniper has great hardware firewalls for entry and for big enterprise buisness, i would check them out.

**Lyttek** · 02-25-2006 07:49 PM

PIX firewalls can be obtained for next to nothing on ebay. I've used 501's in the past (one still in use) and it's pretty much "set it and forget it".

**spaceman** · 02-28-2006 09:27 PM

Originally Posted by Lyttek

PIX firewalls can be obtained for next to nothing on ebay. I've used 501's in the past (one still in use) and it's pretty much "set it and forget it".

Thanks for that vote of confidence in the 501. Can you confirm that you successfully manage (using the 501) more than 1 server (running cPanel) with multiple IP addresses associated with each server?

We're going through some slight 'birthing pains' right now in relation to the scenario above, more specifically with the need to have 'real world' IPs directly accessible by cPanel, i.e. can't use NAT. This from cPanel:

"The problem is that the licensing server needs direct access to the licensed IP. The licensed IP needs to be a public IP. I have seen clients set up cPanel/WHM behind NAT before, but every time they run into trouble. You can try searching the forums for tips on using cPanel with NAT (or in your case PAT, but as far as the licensing server is concerned, it basically the same thing) If the licensing server cannot 'see' the licensed IP, cPanel/WHM will not work. "

I'm no firewall expert, so right now I've got my local data centre techs (who are in control of the PIX 501) chatting directly with cPanel.

Thanks for any additional help anyone can give with this specific scenario.

**dave9000** · 02-28-2006 11:11 PM

The one thing I like about the astaro firewall software and appliances is they have transparent bridge mode which means public ips will pass thru with no modifications.

the astaro filters in layer 2 when in bridge mode instead of layer 3 like the most of the rest of the firewall that are NAT only

**Lyttek** · 03-01-2006 09:31 AM

Recently used a PIX 510 (IIRC) and it was setup to NAT 1-1 public/private IPs, worked fine. The 501 still in use is on a Windows server, so I can't verify/test any issues with cPanel.

Having said that, I can't see why a properly configured router/firewall would cause issues. Within the past month I built a cPanel server at home... installed and tested cpanel for a week while behind a Linksys router!

**dave9000** · 03-09-2006 10:03 PM

1-1 nat may work fine with cpanel servers our problem is we have many different services running on a wide range of ports on various servers and some of the services require direct connect to function properly so thats why we had to go with a transparent bridge firewall

But for someone that has extra hardware available it would be worth the time to look at the astaro software firewall version

it will do nat,1-1nat or transparent depending on your needs and is priced reasonably

also has all services available as proxy and includes snort intrusion protection,several spam,anti virus filters and will handle ip-sec and pptp vpns and is cheaper than a appliance

and is fully custom configurable

**hostmedic** · 04-03-2006 10:28 PM

any clue on cost

Dave - any clue on cost for this - nothing is listed on the website
Their trial seems to be down @ the moment as well

LinkBack

Thread Tools

What hardware firewall do you use?

cPanel behind hardware firewall (if you've done it, please help?)

Hardware firewall

Hardware Firewall and cPanel

Hardware firewall and Cpanel ?

Hardware Firewall..