[asterisk-users] Best Firewall Suggestions?

Karl Fife karlfife at gmail.com
Tue Oct 13 18:43:57 CDT 2009 

----- Original Message ----- 
From: "Michiel van Baak" <michiel at vanbaak.info>
To: <asterisk-users at lists.digium.com>
Sent: Tuesday, October 13, 2009 5:24 PM
Subject: Re: [asterisk-users] Best Firewall Suggestions?


> On 23:52, Tue 13 Oct 09, Hans Witvliet wrote:
>> On Tue, 2009-10-13 at 14:42 -0500, Karl Fife wrote:
>> > I think one of the very best options is pfSense.  Free Open-source,
>> > but it's BSD based, rather than LINUX based.  As such it has a lower
>> > risk of external exploits.  The user-interface makes it incredibly
>> > simple to set up and maintain.  There is an embedded versions of it
>> > available to run on affordable/reliable solid-state, diskless, fanless
>> > Soekris/PCEngines embedded system boards.
>> >
>> > It's incredibly powerful, and It's ROCK SOLID. I find the traffic
>> > shaping engine to work without a hitch.  PFSense can do anything you
>> > want including VPN (PPTP, IPSec, OpenVPN), failover (Multi-WAN),
>> > IDS/IPS (snort)
>> >
>> > The NEWEST embedded version 1.2.3 rc3 (1.2.3-release is very close)
>> > can run the sipproxd package as well as many other packages that
>> > previously required the FULL version.  Goodbye one-way audio! :-)
>> >
>> > -Karl
>>
>> pfsense with FreeBSD is a very powerfull combination, period.
>>
>> However, it is compared with a 64-character password from a generator.
>> Darn-difficult to use, and often written on a post-it and a plague for
>> the help-desk (and thus a security risc in itself).
>>
>> If you are familiar with BSD, good, fine. If not you probably are not
>> aware that you're exposing yourself somewhere (if you got it working
>> anyway).
>
> A good *NIX admin will only need like 2 or 3 hours to get over it and
> understand how BSD works when they work with linux.
> That's how things work with the admins I have met.
>
> In the end they all choose for the elegance and clean code and good
> documentation of BSD before linux.

One of the deciding factors with us for pfSense was the fact that commercial 
support is also available for it from Centipede Networks.  This way you can 
get quick help when you get in a jam and you have a business to run.  It's 
also nice to have someone with far more expertise than you do a sanity check 
on your NAT tables and rules to ensure you didn't unwittingly "leave the 
gate open".

There's a *-TFOT equivalent book on pfSense about to be published. 
There's also an active mailing list and community.
-Karl

More information about the asterisk-users mailing list