PC-based Software Firewall/Router


Computer security has become an increasingly important issue in recent years as the Internet has gone from primarily a research network to a worldwide network with hostile attackers. The challenge is to balance computer security while still facilitating cutting edge research and worldwide collaboration.

In order to meet these needs, we have found it more cost-effective to build a firewall on a PC-based platform than to purchase a commercial firewall product. We believe we can leverage our experience in cluster high performance networking to tune a PC-based firewall to provide flexible security while still maintaining high throughput.

We have chose a first implementation as OpenBSD running on a Dell server platform with 4 Intel E1000 adapter cards. This is then connected to our elan switch infrastructure on 3 main SCL subnets... One for desktops and servers, one for laptops, and one for test machines.

OpenBSD was chosen due to it's focus on security and firewalling, and support for firewall fail-over with the CARP protocol. Additional complications were presented by needing to support Multicast routing for the AccessGrid video conferencing node.

To support Multicast routing, we evaluated the XORP software router package. Our first attempt was with the 1.0 release. After consultation with one of developers, Pavlin Radoslavov of the XORP project, we upgraded to the CVS version, as well as upgrading to OpenBSD-3.6-current CVS. Some gotchas for building XORP included needing to build gcc-3.3.2 from the OpenBSD ports system, and patching netstat to OpenBSD-3.6-current.

Based on this work, we are hoping all the appropriate patches will get into OpenBSD-3.7 and XORP-1.1 for a full multicast-routing capable firewall. We will continue to update our Multicast-firewall HOWTO as this develops.