A couple months ago, in a fit of green responsibility, I decided it was time to retire my firewall server. This doesn’t seem like much until you realize it was a 10+ year old dual Pentium-II Xeon IBM PC Server 325…
I suspect that this server was $20 of my monthly electric bill all by itself. It housed 4 NICs (What, you don’t have 3 different non-routable networks behind a public IP?), which was another exercise in personal over-complication. I struggled for several days to get the original Linux kernel to compile to support the dual CPU in full SMP. This was back with Linux 2.2, so I had to build IPTables myself. This weekend was also know as “The Weekend I Dumped Debian.”
Over the years, this box and I formed the strong bond that can only come between someone who likes pain and a machine built to give it. We saw many distros and plumbed the dark depths of network witchery. I had twisted server deamons to my will. I had cron jobs that scoured logs and dynamically updated IPTable rules. I ran nasty server deamons to listen on common initd service ports just to screw with scanners. I had a spoofed email relay that hold the connection open as long as the client would stick around to waste its time.
It was a lot of vigilance for a home network that runs no MS Windows and sees little traffic. Eventually I came to decide all of this “vigilance” wasn’t worth the power bill and complexity. I bravely swept it aside for a new shiny Apple Airport Extreme:
The first couple of weeks were honeymoon-easy. It was easy to setup my DMZ, routing rules, etc.
Last week, I got my first port scanner. I always have my console showing me my security.logs in the background. Cute wasn’t going to cut it. Time for this little white box to get serious. I didn’t expect my old, sassy command line interface to add in new rules, but one way or another; that IP block was going to get dropped.
That is when I found that the cute white box couldn’t block IP addresses. It didn’t have the ability to configure the firewall at all! A port is either open or closed. Apple’s suggestion was to block the enemy IP at my Mac. Never mind that I have more than ONE computer behind this Airport. Nothing like copying and pasting a bunch of ipfw commands to a bunch of boxes.
It is drag that a $58 Linksys can do what a $180 Apple product can’t do. I finally fell for OS X because it was that great blend of easy, but a real OS with a real command line when I needed it. I wish that their router was as smart.