Build your own gateway firewall

Learn how to build your own gateway firewall using FreeBSD® and old PC parts. The firewall will consist of the PF firewall, Snort IDS, various IPS applications, Squid proxy, and some intuitive web interfaces for auditing. The cost of this project should be between free and $200 depending on your resourcefulness. I built mine for free using spare parts that were stockpiled in personal storage and parts that the USMC was throwing away, but you can build one from used and/or new parts for dirt cheap.

NOTE:
This is a work in progress, and unfortunately, due to college and work, I don't have the time right now to cover every detail of this project. I'd love to collaborate with others to cover what we can. If you're interested contact me at j0hn7r0n at gmail dot com or catch me online at j0hn7r0n (AIM) or iiwishihadaname (Yahoo).

The FreeBSD Logo is a trademark of The FreeBSD Foundation and is used
by John Syrinek with the permission of The FreeBSD Foundation.

The mark FreeBSD is a registered trademark of The FreeBSD Foundation
and is used by John Syrinek with the permission of The FreeBSD Foundation.

Remove these ads by Signing Up

Step 1: Parts

Through the use of open-source software (OSS), outdated PC hardware, and a little know-how, you can build a cheap and highly effective gateway firewall to protect your SOHO LAN.

Software
FreeBSD has its roots in the server environment, and continues to impress me with its performance, ease of use, and security. Combined with it's zero-dollar pricetag, FreeBSD provides the average user with a culmination of the most modern features, powerful network services, and intuitive setup processes. Apple apparently liked it so much, that they combined FreeBSD with the Mach 3 microkernel and a fancy desktop environment known as Aqua to create OS X.

Hardware
The hardware used for my gateway firewall consists of the following:

An old Pentium 3
256MB of PC100 RAM
Two 100/10baseT(X) NICs (one on-board)
50GB IDE hard drive
Generic IDE CD-ROM drive
An old junker desktop ATX case
300W PSU
Some Cat5/5e/6 ethernet cable

Most of this stuff can be found at computer scrapyards for between cheap and free. The USMC actually donated the case, motherboard, and processor to me when they cleaned out an old computer warehouse.

Believe it or not, dumpster-diving (eeek!) can turn up a whole slew of useful hardware. Large businesses and educational facilities often throw outdated computers away in large quantities. Though outdated, these would be ideal for our purpose. Be sure to ask the owners if you can help them dispose of their trash before you go digging around though.

I have quickly built a shopping cart on Newegg.com to give you an estimate of what it would cost to build this project with completely new parts. The grand total came to $171.94. Please realize though, I HAD to choose hardware that is considered overkill. People just don't sell the old stuff anymore. It costs them more to keep it in inventory than they can make selling it.

FKINGLAG says: Apr 14, 2011. 3:53 PM

Awesome, you broke the site's web format with this page.

whatwhatbia says: Aug 30, 2008. 3:55 PM

Sorry such a noob question but why would this be better then my netgear router/gateway? I also have a bluesocket wireless wg2000 gateway i bought on ebay which fits the requirements and the com port is broke and their is no way to access it except for ssh or ethernet connection, would this be a good thing to use my bluesocket for? thanks for a great article btw

Johntron (author) in reply to whatwhatbiaSep 1, 2008. 4:37 PM

If you have a netgear router/gateway (WRT54G?) and know how to use it, then do so. Use what you have. I don't kno what a bluesocket wg2000 is, but if you can install FreeBSD on it, it would work. I had a bunch of extra parts lying around, and I know FreeBSD, so that's what I used.

WizzardGod says: Jan 9, 2008. 8:33 PM

Alright I have a question about this. You know of a good system for using fiber cards? I am going to have a oc3 line into the building.. I am use to the cat5/cat6 linux firewall settings.. but wondering if anyone has ever worked with fiber cards? and what flavor of *nix is good for it? Thanks, Brad

Johntron (author) in reply to WizzardGodJan 12, 2008. 10:10 AM

Any modern flavor of BSD should work. Here's a list of FreeBSD's ethernet driver support: http://www.freebsd.org/releases/6.0R/hardware-amd64.html#ETHERNET Also, you may have to do some tuning to compensate for the stricter timing, not sure. I know that fibre in the Gb range sometimes drops tons of packets because of this. This may be an old issue. What's the OC3 for? Sounds expensive.

WizzardGod in reply to JohntronJan 12, 2008. 11:49 AM

Well a client of mine is creating a Movie Production company with a youtube backend system. just due to restriction of content and contract signing.. I am kind of a closed book when it comes to too much detail. hope you understand, and also thanks alot for the info. I had a feeling I would be going more pure unix based backbone.. Brad

Johntron (author) in reply to WizzardGodJan 12, 2008. 1:12 PM

Cool. Let me know how things work out.

mtritschler says: Nov 13, 2007. 5:42 PM

Would you be able to make this a wireless access point (aka wifi router) by adding a wireless card?

Johntron (author) in reply to mtritschlerNov 15, 2007. 3:19 PM

Sure could.

phpCypher says: Apr 10, 2006. 8:24 PM

very nice article ! I used to run Free with IPFILTER on a Pentium 133 with 32 megs of ram(EDO !!) running a hacked kernel ;) I finally decided to upgrade the box when the timing attack for SSH1 came out :memories: I am about to delve into PF so that part is beneficial to me, thanks It used to do routing for a webserver(also running free), 4 roomate's PCs and an XBOX playing Unreal ;) It took forever to figure out the rules for Xbox live though

robisonjoel in reply to phpCypherOct 11, 2006. 12:03 AM

Could you send me an email or a post about what rules you used to get pf to work with your xbox? I have a 360 and downloading things is slow.

Johntron (author) says: Jun 17, 2006. 7:25 PM

Well, I'm back from Europe now. I'll finally have time to finish this article. Thanks for the honorable mention in the March contest.

boma23 says: Apr 20, 2006. 6:50 PM

props all the same, mind

boma23 says: Apr 20, 2006. 6:49 PM

doesn't Smoothwall do this? a free Linux based dist with setup GUI and admin Web GUI, which does this on anything from a P120 with 64MB up...

Johntron (author) says: Apr 16, 2006. 10:10 PM

OK, I've added information about UPS's to the conclusion. I've also added a lot to the actual software configuration thanks to Craig McLean's contributions. He wrota a very similar howto on using FreeBSD and IP Filter for the same purpose. I've integrated it as best I can. Please let us know if you find any errors. Thanks Craig!

Stevebucks says: Apr 12, 2006. 12:18 AM

I ran my home gateway with FreeBSD 4.6 on a K6-300, 128K EDO RAM and 2.5G HD for three years without doing any maintenance. Last year I switched to a PIII Celeron 850 which someone gave me, because they couldn't use it for games anymore. But, it is overkill for my home gateway, and I love it ;). So, don't knock the old hardware sitting somewhere in your attic or basement. The K6-300 would still be working fine now, even with the CPU cooling fan frozen at a dead stop ;) Unless you have fiber to the home with fast Ethernet access, I don't see why anyone would need more than an PIII for this project. One thing I might add though is mentioning a UPS. If you have ever had a power failure make your machine unbootable, you will find that a hundred bucks spent of UPS is a very worth while investment. Oh yeah, I almost forgot; the glove was shrunk AFTER the blood dried on it.

Johntron (author) in reply to StevebucksApr 12, 2006. 12:11 PM

Haha, I couldn't find a picture to use for that page. I'll definately throw mention of UPSes in there. Wouldn't want everyone to fsck up all their hard work :P

spinach_dip says: Apr 10, 2006. 10:31 PM

Hate to rain on the parade here but you spent 4 long winded paragraphs on building the system and less than 1 on installing and making bsd work. I think I am not alone in saying that most of us have hardware experience but maybe none, or little experience with bsd or openssh, etc etc.

Johntron (author) in reply to spinach_dipApr 11, 2006. 9:42 AM

Yes, I realize that. As I said in the article, I'm short on time right now. I plan on making the software portion as much (or more) comprehensive than the hardware portion. I'm looking for contributors until I have the time to write it myself. I've already got one, but more would be appreciated. Thanks for your input.

pitrh says: Apr 11, 2006. 4:10 AM

for a bit more info on the hows and whys of pf, try either the pf user guide at http://www.openbsd.org/faq/pf/index.html or my pf tutorial at http://www.bgnett.no/~peter/pf/ (with a bit more handholding)

Johntron (author) in reply to pitrhApr 11, 2006. 9:40 AM

Oops, forgot to link the PF guide. I'll put both in the article. Thanks!

casey32123 says: Apr 11, 2006. 4:41 AM

In your freebsd firewall article you recommended to clean the parts with a paint brush. This is dangerous because static electricity may be generated and could damage the chips. My aunt cleaned the motherboard of her old 486 with a feather duster and after that the machine wouldn't boot because the CMOS chip died. The CMOS ram and clock chip is probably the most static sensitive part of the motherboard because it is designed to be very low powered so that it can run off a battery. Your paintbrush may not generate much static, but other peoples brushes may be made of different materials that generate more static. Â Static is insidious. Often it just weakens parts so that they fail months later. It's a good idea to wear an antistatic wrist strap especially when working on someone else's computer. Otherwise, nice article.

Johntron (author) in reply to casey32123Apr 11, 2006. 9:39 AM

Fixed!

Johntron (author) says: Apr 10, 2006. 8:41 PM

Cool. See, old hardware is still useful. It just takes some creativity and know-how. We've got a Cisco cable modem connected to our gateway firewall. The firewall is connected to a 24-port 100Mbit switch. We have an 8-port gigabit switch and a 108Mbps 802.11g AP for the laptop connected to that. Our media server/sandbox and gaming rigs are all connected through the gigabit. Some of the items on our wishlist include a rack and cases, and dedicated media server with more storage (buy me some of those WD RE2's!). I'd also like to build an EPIA-N based set-top box using a SATA to Compact Flash converter for storage, and an Atheros Mini-PCI card.

gmcintire says: Apr 10, 2006. 8:17 PM

As long as you don't run the extra stuff like snort and squid, a MUCH lower-end machine will work great. I've had a p3/650 with 192 meg ram running OpenBSD 3.6 and doing bridging firewalling using PF for a few years now. With 3mbit (2 x t1) it may get to 4% CPU usage if you're lucky.

fredludd says: Apr 10, 2006. 6:38 PM

Lesser machines work nicely enough. I used a 120MHz Pentium with 96MB running FreeBSD 5.4 to firewall a DSL connection for five users. Nobody was unhappy.

markhoekstra says: Apr 10, 2006. 1:40 PM

Nice comprehensive article. Only one thing, where do you get your minimum requirements from? I mean, Â» Anything older than a Pentium III or AMD K7 is pushing it. Take caution when using a processor slower than 1GHz. Euh? A firewall/gateway on BSD/Linux will run fine on a Pentium 133Mhz for instance. I've build dozens of routers and my current router is a 143Mhz Sun Ultra (running OpenBSD) but even on PC-hardware, anything Pentium 1 is plenty for these kind of tasks, only depending on the bandwidth handled, but considering Â» Your NIC should support atleast 10Mbps ethernet For handling 10Mbps of traffic, any Pentium 1 or 2 should be enough. Don't forget the power this all consumes. Recommending a socket A-CPU for instance is around 65watts for the CPU alone (doing nothing), while a P133 is consuming 11 watts. A Linksys WRT54G which is considered a quite capable and powerful router has a 200MHz CPU inside and a 'high-end' Cisco PIX 515, capable of handling a full load of 100Mbps of traffic, I believe there's a 433MHz Celeron inside (not quite the same as in an office-PC, but still), so I'm puzzled why you would even want a CPU of 1GHz or more for just this. Next to that, this is no offence or anything, the more people busy on these subjects, the merrier

Johntron (author) in reply to markhoekstraApr 10, 2006. 5:06 PM

Updated! (Thank my boring class for the progress)

Johntron (author) says: Apr 10, 2006. 4:25 PM

Yeah, as I stated, I plan on fixing that when I have the time. I used to have a Pentium Pro as a cable modem at my old place. Eeek, I'd never run a mailserver/webserver/database server on a firewall. I guess it's cost effective though as long as you don't have anything of value on there. Thanks for your input :)

unclerichy says: Apr 10, 2006. 3:11 PM

Finally, a firewall/gateway article that's not about Linux! Anyhoo, 1GHz minimum? That's a bit extravagant isn't it? I remember the days when my FreeBSD 2.7 box was a 386 with an internal ISA 14.4 modem. I now run an EPIA V8000 as my firewall/gateway/mail/web/sql server.

Johntron (author) says: Apr 10, 2006. 2:00 PM

Yeah, you're right. I guess I was thinking about my media server when I wrote this article. I'll update the minimum requirements when I get a chance. Thanks for your input.

neo.anerson says: Apr 10, 2006. 5:12 AM

Hail H4Xo|2 Lord .... U are just unbelievebly good ...great ...superb ....I'm at a loss of words GURU