On Tue, 21 Mar 2000, William W. Austin wrote:
> I am getting ready to set up a firewall between my DSL provider and my lan at
> home (nothing big -- 3 machines there), and have been planning to use an old
> 200Mhz pentium machine as the firewall box. However, this weekend I saw some
> info on a Linksys EtherFast Cable/DSL Router, model # BEFSR41.
>
> Its feature list looks impressive, and the street price is somewhere down around
> 150-160 as best I can figure. The box is a 4-port hub/router with the firewall
> built in, and it supports 10/100 Mbit lan on the local side.
>
> The only real drawbacks I can discern so far are that many of the advanced
> features are not supported except through reading the manual (what a concept: a
> manual with information :-) [no hassle], and that the only OS's they really know
> about are apparently Win95/98/NT (2000? -- I'm not sure).
>
> Anyway, does anyone have any experience with this box -- it looks awfully
> attractive at this price... Any drawbacks? Any problems?
Any drawbacks to such a proprietary box? LOTS!!!
1) Price. $150 vs $30 (or so) for a 2nd ethernet card for your PII/200.
$40-$50 for a 4-port 10/T ethernet hub if you don't have one yet.
2) Performance: Your PII/200 with linux will outperform any of the
little black boxes that I have seen or tested (and I've tested lots,
although I admit I haven't tried the one in question.) This may not
be an issue for you, since you only have a couple of machines.
3) Flexibility: black boxes are totally fixed: what you see is what you
get. Your own ipmasq box is a real computer - you can add cards or services
or easily reconfigure it. You cannot do this with the proprietary box.
The proprietary back box is totally inflexible.
For example, if you want to run 100BaseT instead of 10BaseT, you must buy a
new router. If you need to dial up sometimes, in case your DSL connection
is flaky and you want a back up, you must buy another $150-$200 box.
With your own box, you can simply add a modem and switch to ppp for the
internet connection
instead of the second ethernet card (only a couple of changes in a couple
of configuration files to switch over and no changes for the PC's on your
LAN). If you needed to add a second LAN (e.g. one LAN for a "public"
classroom and one LAN for your office machines if you're paranoid), you
simply add another ethernet card in your box, but there is no way to do
this the black box. If you need to add a service such as VPN (Virtual
Private Network which is important in setting up a WAN), you may or may
not be able to do this with the black box (some of them supposedly support
VPN), but you may have a fun time trying to find out how from the company
that builds the box (see supportablility below). Because a NAT (or PAT)
box is a firewall, if you want to have various kinds of servers available
to the outside world (e.g. web server, ftp server, mp3 server, pcanywhere
or other remote control, audio server, game server...) you have to make
configuration changes to your firewall. This is possible on a linux ip
masquerade box (in fact often easy). It may or may not be possible on
the black box. At the very least, you may have to do a bios flash
upgrade on the black box to add support for additional kinds of services.
Many black boxes advertise support for a web server behind your firewall.
Some do not. However, most other things you may or may not want to be able
to provide to the rest of the world (or even yourself when you are not
at home) will most likely not be possible with the black box, but are likely
on your own ipchains box.
4) Supportability (this may be the single biggest issue)
What if there are problems in configuring or in operation of your
box? Sometimes problems are with your hardware, sometimes with your
phone company, sometimes with your ISP. There will be problems, it's just
a matter of when. Try to get support out of the black box manufacturer
or sales company. You may, but I've had lots of problems with various
manufacturers of various kinds of equipment over the years. Finger pointing
is one of the biggest problems. They will take you through a couple
of
so-called "diagnostic programs" and then they will try to blame your
systems, or your phone company or ISP. If you call the phone company
or ISP, you are REALLY SOL: they will tell you that your DSL
connection is for ONE machine. If you put one machine on the DSL
connection instead of your NAT box, and it works, you think you know
that the problem is not the phone company or the ISP. However, the
NAT box maker may still think the problem is not their box. Finger pointing.
Contrast that with the kind of support you get out of this list. How
many testimonies you can get of how people on this list helped in a
fairly short period of time get a ipchains box back up and running.
5) upgradeability, especially for security or bugs.
Upgrades and bug fixes are available all the time. The ease of getting
notified (by subscribing to redhat-watch and redhat-announce lists
@redhat.com), then downloading rpm via ftp directly to the box, and simply
saying: rpm -Uvh packagename to install the update, is very important.
You don't need to use some other box running an tftp server to do
the bios flash upgrade of the black box. It is a misteak to think
that the proprietary box is perfect - no bugs, no need for security patches.
The sheer volume of users of the ipchains software under linux to beat on
the system dwarfs the number of users beating on the black boxes.
(Unless, of course, someone has succeeded in putting RedHat with ipchains
in a ROM on a black box :-) Open sources means better software! That's
the message of Linux, right?
You avoid delays while you try to call the manufacturer, wait on hold for
their Help Line, (if they have one), or play phone tag, ordelays with e-mail
(or how do you read e-mail if your network connection's down?).
What if you want to do wireless connection to the Internet or whatever
comes down the line 3 years from now? The PII/200 with RH and ipchains
should allow you to keep up with the times. You don't have to buy
another box.
If you are worried about configuring one, the ipchains howto at
http://metalab.unc.edu is pretty good. Or, you can check out my own howto
at:
http://www-jerry.oit.duke.edu
or (more specifically):
http://www-jerry.oit.duke.edu/linux/bluedevil/HOWTO/howtolist.html
or (even more specifically)
http://www-jerry.oit.duke.edu/linux/bluedevil/HOWTO/ipchains_howto.html
***************************************************************************
Jerry Winegarden OIT/Technical Support Duke University
[EMAIL PROTECTED] http://www-jerry.oit.duke.edu
***************************************************************************
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
