How To Build Your Own Firewall

Numerous firewall options exist on the market, yet you've heard or discovered that it's possible to construct your own firewall from off-the-shelf hardware and Open Source software. Some commercial appliances even base their software architecture on the Open Source firewall elements available, so you believe (accurately) that it's possible to create a robust and secure network firewall on your own. Thoroughly understanding firewall design, architecture, and implementation is an expert's task, yet we can use readily available tools and some straightforward best practices to create a working and secure solution ourselves. Engineering and deploying firewalls created from scratch will take more time and effort than installing a commercial product, but the result can be optimized and tuned for your particular technical needs. Furthermore, you're likely doing it because of the challenge or just for enjoyment of doing it yourself! Let's take a look at the requirements.

Most modern PCs have far more than enough RAM, CPU speed, and I/O performance to work as a firewall for all but the largest or heavily trafficked networks. Many large businesses did use off the shelf servers as their firewalls--I've worked at some of these companies and seen many such firewalls. A bargain PC won't be your best choice, however, for a couple of reasons. First, you will want to be sure that the motherboard has a high-performance bus controller and that there are enough expansion slots to accomplish what you want. A single free PCI slot simply isn't (usually) enough. Few expansion slots is often also a sign that the system wasn't designed for a long life and constant use. Less expensive motherboards simply are more likely to fail, and you don't want the system burning out in 6 months! Power supplies are another cause of failure, you will want a sturdy power supply that exceeds the minimum needs, provides very reliable output, and will have a long life--it's going to be running all the time.

Next you should consider network interface (NIC) options. Most of the time your motherboard will have a single 10/100baseT Ethernet interface already built-in. This can either be a good thing or a bad thing. Sometimes these provide good performance--other times I've found they weren't as good as my added cards. The main point here is that you will want one network interface for each physical network: two at a minimum. One for your internal (or protected) network, and another for the external (or Internet) network. As you'll see in the design section, this is the minimum; you may want or need several more NICs. If you don't have that many expansion slots on your motherboard bus, there are cards that have multiple Ethernet interfaces on a single card (two, or even four). While this may seem like a neat idea, I don't usually recommend it because if that card fails, two (or four) networks go down rather than just one. Will you be able to replace a four-port card quickly if you don't own a spare? If you are trying to imitate one of the small appliance firewalls, you'll note that they often just have a single four-port Ethernet card, so it's not a horrible idea--just one that isn't ideal. You may want to use a gigabit (1000BaseT) Ethernet interface for your internal networks if you want or need the higher throughput. Home users might consider a Wi-Fi adapter for the internal interface since they may not have or want cabling connecting the firewall to the ideal spot for their wireless router or hub. Routing can become complex, and we'll need to cover that in a follow-up article.