SO/HO firewall review

TdC

Trem's hunky sex love muffin
Joined
Dec 20, 2003
Messages
30,693
Hello ladies and germs

I got a new toy yesterday, a hotbrick 401w small home/office firewall applicance with wireless capabilities to replace my extremely aging and noisy p166 home made firewall. The p166 had certainly seen better days, having survived several OS upgrades (openBSD and freeBSD) and a disk failure in the past, it had started to become old, clunky and especially noisy with it's replacement 2gb scsi disk generating a high-pitched whine that really really really really was starting to get on my nerves. While talking about small and silent firewalls with a friend, he pointed me towards the hotbrick, and after looking at it for a while I decided to get one.

The appliance comes in a small box, containing the firewall, it's power supply, a -very thin- booklet with startup instructions, a cdrom and the screw-in ariel to aid the wireless reception. The 401W Hotbrick is about the size of a DVD case and cooled passively making it utterly silent, which pleases me no end after the noise of the p166. Leafing through the booklet briefly I thought that I should be able to muddle through as it all seems to be web-based configuration, so I connected the Hotbrick to my internal lan and pointed my browser at it's configuration page. Pleasantly surprised that the brick is intelligent enough to be able to handle an ethernet cross-cable on any of it's 4 LAN interfaces, I ran through the configuration wizard and all was well and good until I connected my ADSL modem to the 'brick's WAN port. After that nothing happened, as the 'brick couldn't manage to get an IP number off my provider's DHCP server. I ran through the configuration a few times, and it all looked good so I was stumped until I realized that my ISP had probably hard-coded my old firewall's MAC address into their systems. Luckilly the Hotbrick has a user-configurable external MAC, so once I programmed that to be the old firewall's I suddenly had an IP and there was traffic on the wire!

While I'd been working out what had gone wrong previously I'd configured the appliance for my needs, turned off it's internal DHCP server and wireless capabilities, and set up port forwarding to my in-house web and email server. The 401W also has an option to DMZ a single internal IP (because it's the smallest model, the bigger ones can do a lot more but are also more expensive). This DMZ lark presents the machine in question as if it was connected directly to the internet, so you'll have to be careful if you're going for that kind of thing, because for all intents and purposes that machine will be "outside" the firewall. Of course the port-forwarding options of the appliance carry similar risks because your visitors are forwared "inside" the firewall, so a bright spark could possibly get up to foolery if you're running dangerous services. Naturally you could run multiple firewalls, but then you're going beyond the SO/HO though I suppose that you could connect the WAN port of one 401W to a LAN port on another (though I've not tested that and it's possible that the little machines could detect such a thing) and have a very cheap and basic solution. Very basic though, but I'll be getting to that in a second.

Now that everything is configured to my satisfaction I have an external site port-scan my location and am well pleased! All ports except those that I explicitly forwarded and ident (113) are "stealthed", meaning that they don't react at all to probes, while ident is "closed" and the forwarded ports are "open" of course. Ident is closed explicitly because some internet services require either a connection or an explicit RST off of port 113 before they will work (think IRC and such like) or they may behave strangely, and I'm pleased that Hotbrick have thought about this. The 'brick has some logging functions, meaning that it logs all blocked connections, all connections from inside to the internet (via urls, and there is also a function to use a database of unwanted words to block urls containing said letter combinations (like boobies!) at the gate, ie. parental control etc.) and everything that it lables a "DoS", which includes portscans, ping floods etc. The simple model I have doesn't support a syslog function, but it does allow the logs to be emailed to a user-configureable address using an equally configureable SMTP server. You can configure when you want the logs mailed to you as well, either when "full" or at a date/time of the week. It supports downloading it's configuration in the form of a text file, which can be saved and uploaded again in case something goes wrong. You can't backup it's firmware like that but it does allow flashing via TFTP. I seem to recall that it *needs* to be on UTP for that and not on wireless. What else can it do? Well it has a certain abount of port-forwarding rules pre-configured, which is nice, and you can define your own too, together with global and rule specific enable/disable switches. This, combined with a database of systems on your network, makes implementing rules a breeze. This database is automatically filled by the built-in DHCP server, but if you're strange (like me) and don't use it you'll have to add machines by hand. The 401W firewall's throughput is about 40MBit, well above your average home's aDSL or cable, but there are higher models with multiple WAN ports that can also load-balance, but these come with added costs etc.

As to the full set of specs it supports, well you can read that on it's website that I've linked to above, I really can't be arsed typing all of that while someone else has already done that for me. Bottom line is it's small, silent, cheap and does exactly what it says on the tin. No frills, but there are a few nifty things that it can do that I hadn't expected.
 

xane

Fledgling Freddie
Joined
Dec 22, 2003
Messages
1,695
Not attempting to be at all critical here, but how does this differ from any run-of-the-mill ADSL/Router box out there ? Just the extra configurability ?
 

Chilly

Balls of steel
Joined
Dec 22, 2003
Messages
9,046
You forgot the most important bit.

It's RED, it looks the shiznit.
 

TdC

Trem's hunky sex love muffin
Joined
Dec 20, 2003
Messages
30,693
hehe it is red indeed, and tiny! you could lose it if it weren't attached to a cable :)

Xane said:
Not attempting to be at all critical here, but how does this differ from any run-of-the-mill ADSL/Router box out there ? Just the extra configurability ?
I don't know. I've never had an aDSL router, though they seem quite popular in the UK tbh, only "always on" home made firewalls. A firewall isn't a router, and a router isn't a firewall, though they can forfill the same job depending on how good their software is. I suppose that there is no functional difference in the end, not in these little appliances
 

xane

Fledgling Freddie
Joined
Dec 22, 2003
Messages
1,695
Most ADSL/Router units have a firewall capacity, and certainly the ones I've used, from mainstream manfacturers like Netgear, Belkin, Linksys, etc, have quite extensive configuration options.
 

TdC

Trem's hunky sex love muffin
Joined
Dec 20, 2003
Messages
30,693
hmm, afaict the extra lies in the ability to DMZ at the touch of a button and the logging. it now logs everything to my gmail account, so I'm kinda curious what ads le google will serve me after reading all the pr0n I brouwse :)
 

Users who are viewing this thread

Top Bottom